[ntp:questions] Jesus Christ! -> even internet time-sync (NTP) is vulnerable to exploitation?

Virus Guy "Virus" at Guy.com
Sun Dec 21 22:29:29 UTC 2014

"David H. Lipman" wrote:

(Dave Lipman posted examples from his router logs of incoming traffic to
port 123)

> > Um - did you notice that resolves to 
> > pool-test.ntp.org?
> >
> > Your other IP's resolve to:
> >
> >  = helium.constant.com
> > = server1.nyc.shellvatore.us
> >  = 166-70-136-41.xmission.com
> >  = time01.muskegonisd.org
> >
> > Someone thinks that you are operating a registered public
> > NTP server on your IP.
> That was just a short excerpt from one log.  There is way more to
> the log and I didn't care about who the IP belongs to. 
> A couple of months ago, that wasn't in the log to the same level
> I am seeing Today.

I agree that it's likely there is a high(er) amount of probing going on
on port 123 than usual (if there ever was a usual).

But do you have nothing to say regarding the possibility (or
probability) based on who is hitting you (that you posted above) that
they think you are operating a real NTP server - and they're trying to
make a legit time query?

For example:


We found 2 hostnames for IP Address
1 	north-america.pool.ntp.org

We found 2 hostnames for IP Address
1 	us.pool.ntp.org

We found 2 hostnames for IP Address
1 	1.us.pool.ntp.org

You gave five examples of IP's hitting you on port 123.  Four of those
are (or were) legit NTP servers.

So either you are misreading your logs (and what you think are incoming
queries on port 123 are really outgoing queries from some computer on
your lan to something.pool.ntp.org), or these really are incoming
queries coming from legit (or previous legit) NTP servers.

If the answer is the latter, then these may very well be examples of
comprimised / trojanized NTP servers performing their own NTP probes
under botnet control.

More information about the questions mailing list