Mahlzeit, Ralf!

To begin with: What was the exact text of the complaint?

To determine if the traffic to and from this net is legitimate,
you could do a trace with tshark/WireShark.

The commands(unix):
touch /home/user/ntp.pcapng
chmod 777 /home/user/ntp.pcapng
(sudo) tshark -i eth0 -f 'udp port 123' -c 1000 -F pcapng -W n -w /home/user/ntp.pcapng

Have a look at the characteristics of the requests and the total amount of traffic per time. If every request is the same ntp version and/or there is a pattern in the intervals of these requests,
then it could possibly be some kind of spoofed ip trick.
Also check the percentage of your whole ntp traffic that is caused by these requests. One last thing would be to have a look at the latency to that net. If your connection to that net is really good, it is logical that many clients select your server for optimal accuracy.

This is all just fishing in muddy waters but it could help narrowing it down to at least a probable answer.

(ps: In case I missed something, please be patient with me, I'm new to mailing lists.)

regards, Simon


On 17/10/16 11:10, John Winters wrote:
On 17/10/16 09:54, Ralf Hildebrandt wrote:
I received an abuse complaint today, 213.239.204.119 is/was memeber of
pool.ntp.org.

The destination IP belong to:

inetnum:        49.8.0.0 - 49.11.255.255
netname:        SixKanet
descr:          SixKanet
descr:          78 Garak-dong, Songpa-gu, Seoul

Is this an NTP reflection/amplification attack? What can I do?
[snip]

##########################################################################
# Portscan detected from host 213.239.204.119 #
##########################################################################

time protocol src_ip src_port dest_ip dest_port
---------------------------------------------------------------------------
Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123 => 49.9.253.77 48943 Sun Oct 16 23:25:07 2016 UDP 213.239.204.119 123 => 49.9.173.110 53789 Sun Oct 16 23:26:16 2016 UDP 213.239.204.119 123 => 49.9.236.63 41332 Sun Oct 16 20:59:02 2016 UDP 213.239.204.119 123 => 49.9.209.139 59960 Sun Oct 16 23:26:39 2016 UDP 213.239.204.119 123 => 49.9.239.110 59276

I haven't done a detailed cross-reference on that log, but this looks to me like a mis-diagnosis by that ISP. They're using a very large address
range, and it seems that a lot of their clients are using your NTP
server to get the time.

I would be inclined to reply to them pointing this out and suggesting
they have made a mistake.

Cheers,
John
_______________________________________________
pool mailing list
pool@lists.ntp.org
http://lists.ntp.org/listinfo/pool

_______________________________________________
pool mailing list
pool@lists.ntp.org
http://lists.ntp.org/listinfo/pool

Reply via email to