[ntp:questions] NTP.POOL.ORG Server is a shadowserver

Rob nomail at example.com
Thu Oct 18 16:50:56 UTC 2012

Uwe Klein <uwe at klein-habertwedt.de> wrote:
> Rob wrote:
>> And I think that is very wise.  There are many protocols that can
>> be used to hide communication, and it is undoable to analyze all
>> of them to the level where you can be sure it is innocent.
> False positives ruin trust in a tool.
> ( crying wolf to often. )
> If 99% of your alerts are false positives that tool is worthless.

Maybe the botnet operators try to exploit this.
But it is certain that they have a better position in the battle:
they can trigger false positives and force the IDS rule maintainers
to exclude certain protocols from the ruleset, and then they can
use the excluded protocols to achieve their goal.

Furthermore, they can host their C&C services on hacked systems
that already are functioning as servers for other purposes, thus
hiding their C&C traffic under a layer of legitimate traffic to
the same address.

Maybe that is happening in this case, but we cannot be certain.

More information about the questions mailing list