Zitat von Rob Janssen <[email protected]>:
Mouse wrote:
Have sites complaining that 72.8.140.222 is showing up on command
and control server. [...]
Whether a machine has been infected by malware is not related
directly to whether it is serving good time.
The problem is that some intrusion detection systems or ISP systems
that attempt to detect malware will see that someone is communicating
with an IP that is on a list of command and control servers, without
checking in detail what kind of communication it is.
The NTP pool also is not a mechanism for handholding sites with
incompetent IDS monitoring.
I think the pool should do nothing here. If it's serving good time, I
think it belongs in the pool; if it's not, not. Anyone who freaks out
over port-123 traffic to it because of something unrelated to NTP needs
to learn to check before freaking. It is not a service to keep the
incompetent from suffering the consequences of their incompetence.
But who is incompetent? The one who stamps any traffic to a C&C
server as suspicious,
or the one that does not consider that a botnet might use UDP port
123 on their C&C
server and even make their C&C packets look a lot like NTP packets?
The baseline is, your IDS is able to give you hints on what might be
suspicous, it's up to you to decide if it is a real danger/unwanted or
not.
Regards
Andreas
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
