[time] ddos unlikely

Simon Lyall simon
Mon Oct 11 12:05:27 UTC 2004

Below is the first Email I've sent out, I'll send a few more in the next
little while. If you think my wording could be better then please let me

Simon J. Lyall  |  Very Busy  |  Web: http://www.darkmere.gen.nz/
"To stay awake all night adds a day to your life" - Stilgar | eMT.

---------- Forwarded message ----------
Date: Mon, 11 Oct 2004 23:02:28 +1300 (NZDT)
From: Simon Lyall <simon at darkmere.gen.nz>
To: abuse at xxxxxxx
Cc: noc at xxxxxx
Subject: NTP DDOS originating from your customers.


I am a member (and one of the helpers) of the pool.ntp.org (See
http://www.pool.ntp.org) , a group of distributed NTP (time) servers.

Since the middle of last week we have been hit every 10 minutes (exactly
on 10,20,30 etc minutes past the hour) by a large number of lookups from
UK based providers. Our best guess is that this is caused by a recent
firmware upgrade to a DSL router, hardware firewall or similar device.

We would very much appreciate if you could help us trace the cause of the
traffic surge and the manufacturer of the device so we can work with them
to reduce the problems caused by the recent change.

The following IPs belonging to your customers sent NTP queries to
pool.ntp.org at 09:40:00 UTC on Mon Oct 11 2004. If you could let me know
if they have a hardware device (or somethign else) in common and the make
and model we would be very thankful.

Please note that we do not believe that your end users have malicious
intent against pool.ntp.org nor do we believe they are infected with any
sort of virus or similar program.

Thankyou for your time.

Simon Lyall
On behalf of pool.ntp.org

Simon J. Lyall.  |   Very  Busy   |   Mail: simon at darkmere.gen.nz
"To stay awake all night adds a day to your life" - Stilgar | eMT.

More information about the pool mailing list