[ntp:questions] Jesus Christ! -> even internet time-sync (NTP)is vulnerable to exploitation?

Harlan Stenn stenn at ntp.org
Mon Dec 22 04:28:29 UTC 2014


Virus Guy writes:
> Harlan Stenn wrote:
> 
> > > ...  or these really are incoming queries coming from legit
> > > (or previous legit) NTP servers.
> > >
> > > If the answer is the latter, then these may very well be examples
> > > of comprimised / trojanized NTP servers performing their own NTP
> > > probes under botnet control.
> > 
> > I think the first instance of "NTP" in that last sentence should be
> > removed.
> 
> Under what conditions would someone who is NOT operating an NTP server
> expect to see external IP's hit his router on port 123?
> 
> And given that such events are happening, how would you explain that
> these external IP's have rDNS data that maps them to
> various.pool.ntp.org?

We're not communicating effectively.

I still think you mean:

> > > If the answer is the latter, then these may very well be examples
> > > of comprimised / trojanized servers performing their own NTP
> > > probes under botnet control.

And it's entirely possible that the probes you are seeing are not
malicious.  They could easily somebody doing a "scan for educational
purposes".

H


More information about the questions mailing list