[ntp:questions] NTP.POOL.ORG Server is a shadowserver

Mike S mikes at flatsurface.com
Thu Oct 18 16:08:26 UTC 2012

On 10/18/2012 11:10 AM, Rob wrote:

> But maybe it implements some exotic NTP packet like a readvar that
> allows the botnet to retrieve its info from the C&C server.
Point to a botnet that does that.

> How is the intrusion detection system supposed to recognize this
> situation without advance knowledge?
How does an IDS identify _any_ threat without prior knowledge? How did 
that host get identified as part of a botnet in the first place, and is 
that botnet known to use even UDP/123 for communications, let alone NTP 
look-alike packets?

More information about the questions mailing list