[ntp:security] 0.pool.ntp.org amplification attack

Danny Mayer mayer at pdmconsulting.net
Sun Feb 23 03:06:25 UTC 2014


Joe,

You need to contact the pool people about this. This channel is for
reporting security problems for NTP and we have nothing to do with the
pool. You should check the pool web site for information on this.

Danny

On 2/20/2014 7:21 PM, Joe wrote:
> 
> At least one of the IPs in the 0.pool.ntp.org pool is still vulnerable
> to and being used as an ntp amplifier. You may want to pull it from your
> DNS until they get it fixed. You might also want to do a quick scan of
> all the IPs in the pool to see if any others remain vulnerable.
> 
>  srcf-ntp.stanford.edu  171.66.241.4
> 
> It's a nice almost 50k reply too:
> 
>  ntpdc -nc monlist 171.66.241.4 | wc
>  602    5412   48160
> 
> That IP is actively being used in a DDoS right now.
> 
> Hopefully you have a direct contact to reach at Stanford - I don't, and
> am not about to jump through their web-based hoops to report this issue
> to them.
> 
> Thanks!
> 




More information about the security mailing list