[ntp:questions] monitor attack

Brian Inglis Brian.Inglis at SystematicSw.ab.ca
Mon Mar 23 16:13:44 UTC 2015


On 2015-03-23 07:16, Mike Cook wrote:
>> Le 23 mars 2015 à 13:56, folkert <folkert at vanheusden.com> a écrit :
>> This morning I got an e-mail from my ISP (xs4all in the Netherlands)
>> that my systems can be used for a reflection attack. They had logged in
>> to my modem and pinpointed a clock on my LAN.
>>
>> What confuses me is the following:
>>
>> - the gateway system already had
>> 	disable monitor
>> 	restrict -4 default kod notrap nomodify nopeer
>> 	restrict -6 default kod notrap nomodify nopeer
>>   in ntp.conf
>>
>> - the clock they complained about is somewhere on my LAN and should not
>>   directly be accessible from the outside (192.168.64.45). it did not
>>   have disable monitor but as I mentioned; it cannot be reached from
>>   the internet
>>
>> Does someone have got any idea what the problem here is?

The problem is they breached your firewall and your privacy and LAN security by logging into your modem.
Change your modem password(s); talk to your ISP, check whether they sent the email, whether and who logged in to your modem, why they logged in, what they did when logged in, what they found, and whether they may have breached any laws while doing so, and what you can do about what they did and found.

>    If they have logged into your modem, they will be able to bypass any NAT rules that you have on the router and have maybe not taken that into account.
>    What you can do is to go to < http://support.ntp.org/ntpq.php > to see if ntpq works from outside your net.

>> Note that testing it won't (should) not work right now as I temporarily
>> firewalled port 123 until I figured this out.

Will not affect anything they can do while logged in to your modem, bypassing your firewall.
May be trying to shut down NTP users on your/their network with FUD.

-- 
Take care. Thanks, Brian Inglis


More information about the questions mailing list