[ntp:security] 0.pool.ntp.org amplification attack

Joe joe at avvanta.com
Fri Feb 21 00:21:24 UTC 2014


At least one of the IPs in the 0.pool.ntp.org pool is still vulnerable to 
and being used as an ntp amplifier. You may want to pull it from your DNS 
until they get it fixed. You might also want to do a quick scan of all the 
IPs in the pool to see if any others remain vulnerable.

  srcf-ntp.stanford.edu  171.66.241.4

It's a nice almost 50k reply too:

  ntpdc -nc monlist 171.66.241.4 | wc
  602    5412   48160

That IP is actively being used in a DDoS right now.

Hopefully you have a direct contact to reach at Stanford - I don't, and am 
not about to jump through their web-based hoops to report this issue to 
them.

Thanks!

-- 
Joe H
System Administrator


More information about the security mailing list