[ntp:questions] NTP.POOL.ORG Server is a shadowserver

Rob nomail at example.com
Thu Oct 18 16:06:55 UTC 2012

Uwe Klein <uwe at klein-habertwedt.de> wrote:
> Rob wrote:
>> Mike S <mikes at flatsurface.com> wrote:
>>>On 10/17/2012 3:04 PM, Rob wrote:
>>>>Today many ISPs and companies run intrusion detection systems that
>>>>monitor the traffic and send alerts when there is communication with
>>>>systems listed as botnet C&C servers.
>>>>So when such a server appears on ntp.pool.org, and a user picks it
>>>>to sync with, they get stamped as potentially infected by malware
>>>>and could face disconnection or other forms of quarantine.
>>>>Clear now?
>>>Yes. The problem is that the intrusion detection systems run by many 
>>>companies and ISPs produce false positives.
>> And another problem is that is is *very difficult* to avoid that.
>> Think about it.  A C&C server could use port 123 for its communication,
>> support normal NTP operations, register itself to the pool, and for
>> the detection system everything would be normal.
>> But maybe it implements some exotic NTP packet like a readvar that
>> allows the botnet to retrieve its info from the C&C server.
>> How is the intrusion detection system supposed to recognize this
>> situation without advance knowledge?
> This would not lead to false positives.
> this would lead to false negatives.

And because intrusion detection vendors don't want false negatives,
they err on the safe side in this case.  Any communication with a
C&C server triggers an alert, it does not matter if it looks like
NTP or not.

And I think that is very wise.  There are many protocols that can
be used to hide communication, and it is undoable to analyze all
of them to the level where you can be sure it is innocent.

More information about the questions mailing list