[ntp:questions] NTP.POOL.ORG Server is a shadowserver

E-Mail Sent to this address will be added to the BlackLists Null at BlackList.Anitech-Systems.invalid
Thu Oct 18 18:18:27 UTC 2012


Rob wrote:
> John Hasler wrote:
>> sh3120 writes:
>>> Have sites complaining that 72.8.140.222 is showing up
>>>   on command and control server.
>>>  After research determined that IP is listed in the
>>>   NTP.POOL.ORG listing of time servers.
>>>  Unsure who to report this too to get it off the list.
>>
>> It's not clear what your problem is.
>
> Today many ISPs and companies run intrusion detection
>  systems that monitor the traffic and send alerts when
>  there is communication with systems listed as botnet
>  C&C servers.
>
> So when such a server appears on ntp.pool.org, and a user
>  picks it to sync with, they get stamped as potentially
>  infected by malware and could face disconnection or
>  other forms of quarantine.
>
> Clear now?

That does not make it a NTP problem!

 Does ntp.org even have a policy that allows them to exempt IPs
  from the pool because some third party wants them to?

 FYI: It is still in the pool
 <http://www.pool.ntp.org/scores/72.8.140.222> irc.indoforum.org


Other ISPs policies to block their own customers based on
 a third party's assertions, are not ntp.org's problem.

 If a ISP "knows" a IP is a botnet C&C server,
  and they null route it, none of their customers
  will be able to contact it.

 ... and in the case of use "pool pool.ntp.org iburst preempt"
  the customer will just get more IPs from the ntp pool,
  when any specific IP can't be reached.


-- 
E-Mail Sent to this address <BlackList at Anitech-Systems.com>
  will be added to the BlackLists.



More information about the questions mailing list