On Mon, Dec 22, 2014 at 10:59:44AM -0500, Philip Gladstone wrote:
> A bunch of people are scanning for NTP.
>
> * Shodan (multiple address). These are also good guys
Good? For whom?
They scan from addresses; not just their own, obvious, ones, but
from TWC and Comcast cable modems and other IPs not easily identified
and filtered, and then don't honor requests to stop.
Last year at this time I was having fun with a large number of
Juniper routers, that cheerfully responded to monlist requests. Nobody
had noticed they would do so, yet, so I started polling all of these
devices with monlist myself...and archiving their monlists.
Within minutes to hours of being scanned by Shodan, some of them
were being abused...there were no other external entries in their
monlists just before the attacks started.
You can filter their IP space, and you will still find things
get polled (and helpfully listed on their site for abusers to search
for) from oddball external addresses.
--msa
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
