On 17/10/16 09:54, Ralf Hildebrandt wrote: > I received an abuse complaint today, 213.239.204.119 is/was memeber of > pool.ntp.org. > > The destination IP belong to: > > inetnum: 49.8.0.0 - 49.11.255.255 > netname: SixKanet > descr: SixKanet > descr: 78 Garak-dong, Songpa-gu, Seoul > > Is this an NTP reflection/amplification attack? What can I do? [snip] > >> ########################################################################## >> # Portscan detected from host 213.239.204.119 # >> ########################################################################## >> >> time protocol src_ip src_port dest_ip dest_port >> --------------------------------------------------------------------------- >> Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123 => 49.9.253.77 48943 >> Sun Oct 16 23:25:07 2016 UDP 213.239.204.119 123 => 49.9.173.110 53789 >> Sun Oct 16 23:26:16 2016 UDP 213.239.204.119 123 => 49.9.236.63 41332 >> Sun Oct 16 20:59:02 2016 UDP 213.239.204.119 123 => 49.9.209.139 59960 >> Sun Oct 16 23:26:39 2016 UDP 213.239.204.119 123 => 49.9.239.110 59276
I haven't done a detailed cross-reference on that log, but this looks to me like a mis-diagnosis by that ISP. They're using a very large address range, and it seems that a lot of their clients are using your NTP server to get the time. I would be inclined to reply to them pointing this out and suggesting they have made a mistake. Cheers, John _______________________________________________ pool mailing list pool@lists.ntp.org http://lists.ntp.org/listinfo/pool