[ntp:questions] NTP.POOL.ORG Server is a shadowserver

Rob nomail at example.com
Thu Oct 18 16:36:56 UTC 2012

Mike S <mikes at flatsurface.com> wrote:
> On 10/18/2012 11:10 AM, Rob wrote:
>> But maybe it implements some exotic NTP packet like a readvar that
>> allows the botnet to retrieve its info from the C&C server.
> Point to a botnet that does that.
>> How is the intrusion detection system supposed to recognize this
>> situation without advance knowledge?
> How does an IDS identify _any_ threat without prior knowledge? How did 
> that host get identified as part of a botnet in the first place, and is 
> that botnet known to use even UDP/123 for communications, let alone NTP 
> look-alike packets?

An IDS gets some form of feed of botnet systems that it needs to
identify in packet streams.  As botnets get more and more clever,
this really cannot be more specific than an IP address to watch for.
Any more specific information like a port number or protocol is bound
to cause missed detection, as portnumbers are changed all the time,
communications are usually encrypted and otherwise stealthy.

I am not part of the hacker scene and so I cannot make any statements
about the use of NTP to hide botnet communications.  Maybe it has
been done, maybe it hasn't.   Too many botnets to make a statement
about that.
What I *do* know by reading the occasional article about subjects
like this is that a lot of other protocols are used by botnets to
hide their communications, including HTTP, HTTPS, DNS.  There is
really no reason why it cannot be NTP.

More information about the questions mailing list