Quoting Ralf Hildebrandt who wrote on Mon 2016-10-17 at 10:54: > I received an abuse complaint today, 213.239.204.119 is/was memeber of > pool.ntp.org.
I both run a pool server and am active with network security monitoring.
A lot of the tooling for network security monitoring sees an active pool
ntp server as an outlier. Every unique request to the ntp server causes a
separate netflow log entry.
The big change that made the 'ntp ddos' alerts stop for the pool server was
making a difference in the size of the ntp answers so monlist (abused for
ddos) entries can be differentiated from normal ntp answers.
> > ##########################################################################
> > # Portscan detected from host 213.239.204.119 #
> > ##########################################################################
> >
> > time protocol src_ip src_port dest_ip dest_port
> > ---------------------------------------------------------------------------
> > Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123 => 49.9.253.77 48943
> > Sun Oct 16 23:25:07 2016 UDP 213.239.204.119 123 => 49.9.173.110 53789
[..]
This isn't even netflow based, this is simple network traffic checking
which does not even see that each of those packets is in response to an
earlier request.
"Working as designed" and with normal ntp ratelimits this can't be abused
for ddos attacks.
But this isn't an answer that you can give your local abuse department,
they need some insight to what you are doing on their network and why this
causes some misguided complaints.
Koos van den Hout
--
The Virtual Bookcase, the site about books, book | Koos van den Hout
news and reviews http://www.virtualbookcase.com/ | http://idefix.net/
PGP keyid 0x5BA9368BE6F334E4 | IPv6 enabled!
signature.asc
Description: Digital signature
_______________________________________________ pool mailing list pool@lists.ntp.org http://lists.ntp.org/listinfo/pool
