[ntp:questions] Jesus Christ! -> even internet time-sync(NTP) is vulnerable to exploitation?

Virus Guy "Virus" at Guy.com
Mon Dec 22 14:52:16 UTC 2014

Harlan Stenn wrote:
> > Under what conditions would someone who is NOT operating an NTP
> > server expect to see external IP's hit his router on port 123?
> >
> > And given that such events are happening, how would you explain
> > that these external IP's have rDNS data that maps them to
> > various.pool.ntp.org?

Before we continue, why can't you answer those questions?

> We're not communicating effectively.

Until you answer those questions, no - we're not.

> I still think you mean:
> > If the answer is the latter, then these may very well be examples
> > of comprimised / trojanized servers performing their own NTP
> > probes under botnet control.

Which comes right back to the questions that I posted above that you
have not answered.

The rDNS of the IP addresses of these hypothetical trojanized servers
map to known pool.ntp.org servers.

If (as has just been mentioned by Brian Utterback) the IP addresses of
the remote machines were forged, then we don't really know the true IP's
of the remove machines performing these probes.  But if that was not the
case, then we have machines that either are or recently were part of the
pool of ntp.org servers performing NTP probes on random IP's.

More information about the questions mailing list