Mahlzeit, Ralf!
To begin with: What was the exact text of the complaint?
To determine if the traffic to and from this net is legitimate,
you could do a trace with tshark/WireShark.
The commands(unix):
touch /home/user/ntp.pcapng
chmod 777 /home/user/ntp.pcapng
(sudo) tshark -i eth0 -f 'udp port 123' -c 1000 -F pcapng -W n -w
/home/user/ntp.pcapng
Have a look at the characteristics of the requests and the total amount
of traffic per time.
If every request is the same ntp version and/or there is a pattern in
the intervals of these requests,
then it could possibly be some kind of spoofed ip trick.
Also check the percentage of your whole ntp traffic that is caused by
these requests.
One last thing would be to have a look at the latency to that net. If
your connection to that net
is really good, it is logical that many clients select your server for
optimal accuracy.
This is all just fishing in muddy waters but it could help narrowing it
down to at least a probable answer.
(ps: In case I missed something, please be patient with me, I'm new to
mailing lists.)
regards, Simon
On 17/10/16 11:10, John Winters wrote:
On 17/10/16 09:54, Ralf Hildebrandt wrote:
I received an abuse complaint today, 213.239.204.119 is/was memeber of
pool.ntp.org.
The destination IP belong to:
inetnum: 49.8.0.0 - 49.11.255.255
netname: SixKanet
descr: SixKanet
descr: 78 Garak-dong, Songpa-gu, Seoul
Is this an NTP reflection/amplification attack? What can I do?
[snip]
##########################################################################
# Portscan detected from host 213.239.204.119
#
##########################################################################
time protocol src_ip src_port dest_ip
dest_port
---------------------------------------------------------------------------
Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123 => 49.9.253.77
48943
Sun Oct 16 23:25:07 2016 UDP 213.239.204.119 123 => 49.9.173.110
53789
Sun Oct 16 23:26:16 2016 UDP 213.239.204.119 123 => 49.9.236.63
41332
Sun Oct 16 20:59:02 2016 UDP 213.239.204.119 123 => 49.9.209.139
59960
Sun Oct 16 23:26:39 2016 UDP 213.239.204.119 123 => 49.9.239.110
59276
I haven't done a detailed cross-reference on that log, but this looks
to
me like a mis-diagnosis by that ISP. They're using a very large
address
range, and it seems that a lot of their clients are using your NTP
server to get the time.
I would be inclined to reply to them pointing this out and suggesting
they have made a mistake.
Cheers,
John
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
