[email protected] said: > So this has nothing to do with the command&control system using NTP for > sync, it is related to command&control systems being cracked servers that > happen to be member of the pool.
Thanks for tracking that down. > One could consider removing systems that are on this list from the pool > automatically, and/or warning members of the pool that they are on this list > and possibly have been cracked. Both seem like good ideas to me. It might also be worth checking major anti-spam black lists. Mostly, they are either bots or systems run by bad guys. http://www.spamhaus.org/sbl/ http://www.spamhaus.org/xbl/ http://www.spamhaus.org/zen/ (Be sure not to use PBL.) ---------- Is there a way for a client to verify that an address is still in the pool? I'd expect something like: to check 1.2.3.4, do a DNS lookup on 4.3.2.1.pool.example.com. If you get an address, it's in the pool. If you get a doesn't-exist error (as compared to timeout or other problem with the DNS servers), then that address isn't in the pool. If the IP address is in the pool, it might be interesting to return various status codes in the returned IP address. I can't think of any good examples that would be more interesting than what you could learn by exchanging a few NTP packets. Or possibly, a special addresses could indicate that it is or was (recently) on a black list. [Or class of addresses, indicating which list and how long ago.] -- These are my opinions, not necessarily my employer's. I hate spam. _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
