[ntp:questions] Possible new attack?

Miroslav Lichvar mlichvar at redhat.com
Tue Oct 7 08:29:12 UTC 2014


On Mon, Oct 06, 2014 at 06:49:58PM -0700, Evandro Menezes wrote:
> On Monday, October 6, 2014 6:50:09 PM UTC-5, William Unruh wrote:
> > Not only that but they are probably running ntp 3 systems, which does
> > not have KOD.
> 
> The suspects are purportedly NTPV4:
> 
> remote address          port local address      count m ver rstr avgint  lstint
> wnpgmb1154w-a-b   123 192.168.a.b           18 3 4    5f8      6       0
> a-b.dyn.suddenlink.net 42324 192.168.a.b         1590 3 4    5f8     14       6

Out of curiousity, do you have a pcap file or tcpdump output you could
share? 

I've been trying to fix widely used open source (S)NTP implementations
to not poll frequently and I'm wondering if this is a client I know.

-- 
Miroslav Lichvar


More information about the questions mailing list