[ntp:questions] Possible new attack?
Miroslav Lichvar
mlichvar at redhat.com
Tue Oct 7 08:29:12 UTC 2014
On Mon, Oct 06, 2014 at 06:49:58PM -0700, Evandro Menezes wrote:
> On Monday, October 6, 2014 6:50:09 PM UTC-5, William Unruh wrote:
> > Not only that but they are probably running ntp 3 systems, which does
> > not have KOD.
>
> The suspects are purportedly NTPV4:
>
> remote address port local address count m ver rstr avgint lstint
> wnpgmb1154w-a-b 123 192.168.a.b 18 3 4 5f8 6 0
> a-b.dyn.suddenlink.net 42324 192.168.a.b 1590 3 4 5f8 14 6
Out of curiousity, do you have a pcap file or tcpdump output you could
share?
I've been trying to fix widely used open source (S)NTP implementations
to not poll frequently and I'm wondering if this is a client I know.
--
Miroslav Lichvar
More information about the questions
mailing list