[ntp:hackers] Dlink is abusing almost *ALL* stratum 1 servers :-(

Danny Mayer mayer at ntp.isc.org
Mon Apr 10 01:41:17 UTC 2006


David Malone wrote:
> On Sat, Apr 08, 2006 at 08:40:39PM -0700, Hal Murray wrote:
>> Anybody know of any others?
> 
> We had one that didn't directly involve NTP, but requests over HTTP.
> However, ultimately it was due to us being on the list of NTP
> servers. There is a short write up at:
> 
> 	http://www.maths.tcd.ie/~dwmalone/time/tardis.html
> 
> and a longer write up in this month's ;login:
> 
> 	http://www.usenix.org/publications/login/2006-04/index.html
> 
> (I think you need a password to access the articles right now - contact
> me if you can't get access.)
> 
> I've checked our current NTP server, and it is seeing about 6 clients
> making requests matching the description that PHK gives. Curiously,
> they are all in Japan, which is a way from our service region of
> Ireland/UK.
> 
> 	David.

I guess we also need to add a recommendation not to run an HTTP server
on any publicly announced NTP server. I'm not even sure why you would
use HTTP for this anyway. Corporate networks should be running an NTP
server inside the firewall that clients can use. If they don't then the
clients should probably not be running unauthorized software. For
personal use they can open up the firewall to NTP packets just like HTTP.

Why does none of this surprise me?

Danny


More information about the hackers mailing list