* Ralf Hildebrandt :
> I received an abuse complaint today, 213.239.204.119 is/was member of
> pool.ntp.org.
>
> The destination IP belong to:
>
> inetnum:49.8.0.0 - 49.11.255.255
> netname:SixKanet
> descr: SixKanet
> descr: 78 Garak-dong, Songpa-gu, Seoul
>
>
On Oct 17, 2016, at 10:52, oliver domke wrote:
>
> I think it's a good idea to add non-local servers to zones with too few
> servers to manage the load, but maybe this shouldn't be done for zones like
> cn, kr, eg, etc. where censorship may prevent answers from outside.
I am planning to do what
Update:
I could capture some incoming packets from some 49.9.x.x.
They seem to be very random and look like normal ntp requests of 90 bytes.
Since the addresses are assigned to KRNIC, I had the idea that packets from
germany are blocked generally. Can I be wrong?
traceroute example:
# traceroute
Hey there,
I've received the same "DOS-Warning" from Hetzner (www.hetzner.de).
Interestingly, the time and IP range is different. I've received the
email at around 08:00 UTC (Sunday), with IPs in the 47.1.x.x subnet.
From the logs I agree it looks to be a standard spoofed request. There's
not muc
oliver domke wrote:
I got two of these this morning (same dest. net).
The real problem is, these addresses are not reachable (no route, testet on
hetzner, telekom, netcologne). That means the request, that causes the
answers, most likely came from another source.
The lack of BCP38 implementat
Ralf Hildebrandt schrieb am Mo., 17. Okt.
2016 um 10:58 Uhr:
> > timeprotocol src_ip src_port dest_ip dest_port
> >
> ---
> > Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123 => 49.9.253.77
> 48
Mahlzeit, Ralf!
To begin with: What was the exact text of the complaint?
To determine if the traffic to and from this net is legitimate,
you could do a trace with tshark/WireShark.
The commands(unix):
touch /home/user/ntp.pcapng
chmod 777 /home/user/ntp.pcapng
(sudo) tshark -i eth0 -f 'udp port
Hi Ralf,
> The config did look ok to you?
Yes, the config snippet you provided looks perfectly fine.
Cheers,
Joseph
___
pool mailing list
pool@lists.ntp.org
http://lists.ntp.org/listinfo/pool
* Joseph B :
> Hi Ralf,
>
> > I received an abuse complaint today, 213.239.204.119 is/was memeber of
> > pool.ntp.org.
>
> If you are confident that your server is configured correctly, and the
> Abuse ticket is unwarranted, you can just construct a simple reply back.
The config did look ok to y
Hi Ralf,
> I received an abuse complaint today, 213.239.204.119 is/was memeber of
> pool.ntp.org.
If you are confident that your server is configured correctly, and the
Abuse ticket is unwarranted, you can just construct a simple reply back.
Below is an example of wording I usually use when resp
Quoting Ralf Hildebrandt who wrote on Mon 2016-10-17 at 10:54:
> I received an abuse complaint today, 213.239.204.119 is/was memeber of
> pool.ntp.org.
I both run a pool server and am active with network security monitoring.
A lot of the tooling for network security monitoring sees an active pool
On 17/10/16 09:54, Ralf Hildebrandt wrote:
> I received an abuse complaint today, 213.239.204.119 is/was memeber of
> pool.ntp.org.
>
> The destination IP belong to:
>
> inetnum:49.8.0.0 - 49.11.255.255
> netname:SixKanet
> descr: SixKanet
> descr: 78 Garak-dong,
I received an abuse complaint today, 213.239.204.119 is/was memeber of
pool.ntp.org.
The destination IP belong to:
inetnum:49.8.0.0 - 49.11.255.255
netname:SixKanet
descr: SixKanet
descr: 78 Garak-dong, Songpa-gu, Seoul
Is this an NTP reflection/amplification at
13 matches
Mail list logo