[ntp:questions] NTP.POOL.ORG Server is a shadowserver

Rob nomail at example.com
Thu Oct 18 15:10:56 UTC 2012

Mike S <mikes at flatsurface.com> wrote:
> On 10/17/2012 3:04 PM, Rob wrote:
>> Today many ISPs and companies run intrusion detection systems that
>> monitor the traffic and send alerts when there is communication with
>> systems listed as botnet C&C servers.
>> So when such a server appears on ntp.pool.org, and a user picks it
>> to sync with, they get stamped as potentially infected by malware
>> and could face disconnection or other forms of quarantine.
>> Clear now?
> Yes. The problem is that the intrusion detection systems run by many 
> companies and ISPs produce false positives.

And another problem is that is is *very difficult* to avoid that.

Think about it.  A C&C server could use port 123 for its communication,
support normal NTP operations, register itself to the pool, and for
the detection system everything would be normal.
But maybe it implements some exotic NTP packet like a readvar that
allows the botnet to retrieve its info from the C&C server.
How is the intrusion detection system supposed to recognize this
situation without advance knowledge?

More information about the questions mailing list