#34 DShield Time-checks failing

open
nobody
None
5
2007-01-16
2007-01-16
Old_Crow
No

I received two DShield TimeStamp messages as follows:
...
You visited the DShield server's timestamp page. We compared the logs you submitted with our records and found the following times:

Our Time: 2007-01-13 18:19:47 UTC
Your Time: 2007-01-13 16:05:06 UTC
...
You visited the DShield server's timestamp page. We compared the logs you submitted with our records and found the following times:

Our Time: 2007-01-13 18:19:47 UTC
Your Time: 2007-01-13 16:20:04 UTC
...

(These messages originated from the automatic timestamp mechanism, rather than being manually requested).

My firewall logs shows that timestamps were received at the relevant times (16:05:06, 16:20:04 and 18:19:47) but ALL had the same target port of 10329. It therefore seems that the timestamp mechanism has mistaken the earlier probes as the one it is apparently looking for, i.e. the one at 18:19:47.

I have extracted the timestamp probes for the period 15:00:00-18:59:59, which shows probes being received at about 15 minute intervals with a considerable degree of duplication of target port numbers. This seems very likely to result in timestamp check failures. Also, is it really intended to send these probes so frequently? The previous version of the system claimed to check once per week, which seems adequate. In any case probes more frequent than once per day would need to ensure uniqueness of target port number to avoid spurious check failures on logs which are submitted in batches of multiple hours of data.

As it happens the timestamps being complained of were included in one batch of data, and the one being sought was not submitted until AFTER the failure messages were generated as it had not yet been forwarded by the router.

Thanks,

Tony Waller

Extract of logged timestamp messages follows:

...
2007-01-13 15:04:49 1 65.173.218.96 37285 194.106.xxx.yyy 10325 TCP
2007-01-13 15:21:20 1 65.173.218.96 39663 194.106.xxx.yyy 10325 TCP
2007-01-13 15:34:46 1 65.173.218.96 41630 194.106.xxx.yyy 10325 TCP
2007-01-13 15:49:55 1 65.173.218.96 43758 194.106.xxx.yyy 10325 TCP
2007-01-13 16:05:06 1 65.173.218.96 45976 194.106.xxx.yyy 10329 TCP
2007-01-13 16:20:04 1 65.173.218.96 48135 194.106.xxx.yyy 10329 TCP
2007-01-13 16:34:38 1 65.173.218.96 50292 194.106.xxx.yyy 10326 TCP
2007-01-13 16:52:25 1 65.173.218.96 53008 194.106.xxx.yyy 10326 TCP
2007-01-13 17:05:59 1 65.173.218.96 55067 194.106.xxx.yyy 10327 TCP
2007-01-13 17:20:03 1 65.173.218.96 57187 194.106.xxx.yyy 10331 TCP
Following included in next batch submitted:
2007-01-13 17:35:10 1 65.173.218.96 59491 194.106.xxx.yyy 10327 TCP
2007-01-13 17:50:04 1 65.173.218.96 33583 194.106.xxx.yyy 10327 TCP
2007-01-13 18:05:29 1 65.173.218.96 36004 194.106.xxx.yyy 10328 TCP
2007-01-13 18:19:49 1 65.173.218.96 38364 194.106.xxx.yyy 10329 TCP
2007-01-13 18:34:46 1 65.173.218.96 40494 194.106.xxx.yyy 10328 TCP
2007-01-13 18:49:38 1 65.173.218.96 42933 194.106.xxx.yyy 10328 TCP
...

Note that I continue to receive similar erroneous messages concerning my firewall time settings - actually they are correct to ~1 second as the firewall syncs daily with a Network Time Server (ntp0.ja.net).

Discussion

  • Logged In: NO

    How do I turn this feature off? I can't find the option to control this anymore, but the IP keeps probing my system 24/7....