[ntp:questions] NTP.POOL.ORG Server is a shadowserver
mikes at flatsurface.com
Thu Oct 18 16:08:26 UTC 2012
On 10/18/2012 11:10 AM, Rob wrote:
> But maybe it implements some exotic NTP packet like a readvar that
> allows the botnet to retrieve its info from the C&C server.
Point to a botnet that does that.
> How is the intrusion detection system supposed to recognize this
> situation without advance knowledge?
How does an IDS identify _any_ threat without prior knowledge? How did
that host get identified as part of a botnet in the first place, and is
that botnet known to use even UDP/123 for communications, let alone NTP
More information about the questions