[ntp:questions] monitor attack

Mike Cook michael.cook at sfr.fr
Mon Mar 23 13:16:33 UTC 2015

> Le 23 mars 2015 à 13:56, folkert <folkert at vanheusden.com> a écrit :
> Hi,
> This morning I got an e-mail from my ISP (xs4all in the Netherlands)
> that my systems can be used for a reflection attack. They had logged in
> to my modem and pinpointed a clock on my LAN.
> What confuses me is the following:
> - the gateway system already had 
> 	disable monitor
> 	restrict -4 default kod notrap nomodify nopeer
> 	restrict -6 default kod notrap nomodify nopeer
>  in ntp.conf
> - the clock they complained about is somewhere on my LAN and should not
>  directly be accessible from the outside ( it did not
>  have disable monitor but as I mentioned; it cannot be reached from
>  the internet
> Does someone have got any idea what the problem here is?

  If they have logged into your modem, they will be able to bypass any NAT rules that you have on the router and have maybe not taken that into account.
  What you can do is to go to < http://support.ntp.org/ntpq.php > to see if ntpq works from outside your net.

Have fun.

> Note that testing it won't (should) not work right now as I temporarily
> firewalled port 123 until I figured this out.
> regards,
> Folkert van Heusden
> -- 
> Always wondered what the latency of your webserver is? Or how much more
> latency you get when you go through a proxy server/tor? The numbers
> tell the tale and with HTTPing you know them!
>                                     http://www.vanheusden.com/httping/
> -----------------------------------------------------------------------
> Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions

"Ceux qui sont prêts à abandonner une liberté essentielle pour obtenir une petite et provisoire sécurité, ne méritent ni liberté ni sécurité."
Benjimin Franklin

More information about the questions mailing list