[ntp:questions] NTP.POOL.ORG Server is a shadowserver

Uwe Klein uwe at klein-habertwedt.de
Thu Oct 18 15:19:13 UTC 2012

Rob wrote:
> Mike S <mikes at flatsurface.com> wrote:
>>On 10/17/2012 3:04 PM, Rob wrote:
>>>Today many ISPs and companies run intrusion detection systems that
>>>monitor the traffic and send alerts when there is communication with
>>>systems listed as botnet C&C servers.
>>>So when such a server appears on ntp.pool.org, and a user picks it
>>>to sync with, they get stamped as potentially infected by malware
>>>and could face disconnection or other forms of quarantine.
>>>Clear now?
>>Yes. The problem is that the intrusion detection systems run by many 
>>companies and ISPs produce false positives.
> And another problem is that is is *very difficult* to avoid that.
> Think about it.  A C&C server could use port 123 for its communication,
> support normal NTP operations, register itself to the pool, and for
> the detection system everything would be normal.
> But maybe it implements some exotic NTP packet like a readvar that
> allows the botnet to retrieve its info from the C&C server.
> How is the intrusion detection system supposed to recognize this
> situation without advance knowledge?

This would not lead to false positives.
this would lead to false negatives.

The problem is that commercial entities are absolutely
desinterested and careless beyond their business model.


More information about the questions mailing list