Paul's family has a long, proud tradition of working in IT. His father ran support for a Stanford computer lab, and his grandfather — a greengrocer — claimed to have seen a UNIVAC one time. Ambling dutifully down the path their ancestors trod, not only was Paul sysadmin for a research lab, but his brother, Saul, was on the same university's network security team. The brothers' relationship was an amicable one, but there was one incident about which Saul always felt the need to give Paul a hard time.

It had been like any other day at Paul's workstation when an IM arrived from his brother: "I'm going to forward you an email we just got from the operator of a public NTP server - it's about one of YOUR machines." That sounded ominous, but Paul didn't have long to wait; a moment later, the complaint arrived in his inbox:

"To Whom It May Concern,

You have a server at [REDACTED] that is continuously querying my IP address, [REDACTED], for NTP data. While I do have an NTP server that is part of, your server has been polling for some time now at a rate of several queries per second. The result has been effectively a DOS attack against our network... not that I'm suggesting that was your intention. I'm sure your source machine has simply gone insane or been compromised by malware, as its NTP queries contain random and invalid originating time data. It's also ignoring the KOD packets I've sent. Please see the attached log snippet and packet captures for details.

Not to go all Kamp on you guys, but I'd appreciate you muzzling the machine.

Thanks for your help,


Though the passive-aggressive tone of Bob's email set his teeth on edge, Paul was quickly forced to admit fault. The server in question suffered from a crappy RTC and was drifting about a minute or two every day, so Paul forced it to update via NTP once an hour. That would have been fine, but when he set up the cronjob he forgot to include the switch that would terminate the NTP daemon after sending the request. Every hour a new daemon joined the cackling chorus, and by the time Paul investigated 4300 instances were running, merrily flooding the poor NTP server with a constant stream of requests. Paul explained the situation to Saul, started killing processes left and right, and then drafted a letter of apology, his brother ribbing him over IM all the while.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!