On 2/10/2014 11:58 AM, Scott Baker wrote:
On 02/10/2014 08:49 AM, Brian Rak wrote:
Your servers both look okay. What did the email say?
This is the email that came in this weekend. Not sure when it supposedly
occurred though.
Dear Admin, The following IP address, 65.182.224.39, which is located
on your network has been actively exploited to launch launch a
distributed denial of service attack against one or more IP addresses
in the ranges of 108.170.21.34/29, and/or 184.164.158.160/29. The
attack was detected as NTP Amplification, and the CVE on the exploited
vulnerability can be found here:
http://www.cvedetails.com/cve/CVE-2013-5211/. Please patch, or notify
your customer to patch this vulnerability to help make the internet a
better place for us all. If you require any other information, such as
TCP Dump logs from the attack, please contact me at [email protected]
THIS EMAIL IS NOT ACTIVELY MONITORED, DO NOT REPLY TO THIS EMAIL!!.
I'd probably email them and ask for tcpdump logs. What I suspect is the
case is their machine is using the pool for NTP servers, then blindly
sending out abuse reports when it sees NTP traffic. If that's the case,
the tcpdump output would be minimal. If it's not, send us the tcpdump
logs they provide.
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
