Koos van den Hout wrote:
From the shadowservercc page
"These IPs are updates every 24 hours and should be considered VERY
highly reliable indications that a host is communicating with a known
and active Bot or Malware command and control server."
If those include public ntp servers used by bots on infected systems
(with botnets switching domain names for command& control daily I can
imagine they are using ntp to get the correct time to avoid losing
contact with the master) my best guess would be that the researcher
looking into the 'bot' traffic wasn't very aware of the ntp protocol.
So I would not use the term "VERY highly reliable indications".
The rules don't look at the port number at all!
They trigger on any traffic (TCP or UDP) to a long list of IP addresses.
When a member of the pool is on that list, and a user of the pool has
received one
of those addresses from the DNS, the resulting traffic will trigger the
alert.
So this has nothing to do with the command&control system using NTP for
sync,
it is related to command&control systems being cracked servers that
happen to
be member of the pool.
One could consider removing systems that are on this list from the pool
automatically,
and/or warning members of the pool that they are on this list and
possibly have been cracked.
Rob
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
