[ntp:questions] Possible new attack?

Evandro Menezes aevandro at gmail.com
Tue Oct 7 01:49:58 UTC 2014

On Monday, October 6, 2014 6:50:09 PM UTC-5, William Unruh wrote:
> Not only that but they are probably running ntp 3 systems, which does
> not have KOD.

The suspects are purportedly NTPV4:

remote address          port local address      count m ver rstr avgint  lstint
wnpgmb1154w-a-b   123 192.168.a.b           18 3 4    5f8      6       0
a-b.dyn.suddenlink.net 42324 192.168.a.b         1590 3 4    5f8     14       6

Note that the restriction bits indicate that these clients are being kissed goodbye, yet they remain.

Again, they are not numerous on my server, just a pesky few.  The bandwidth used by all NTP clients, the good and the bad alike, amounts to just about 1.5Kbps.  But, if this is some sort of infection spreading out, it could affect notorious ST1 servers worse and more of them might be placed behind a wall serving only their internal site, as it's happened after to the recent DRDoS attack.

More information about the questions mailing list