Joel Reicher wrote:
Very simple script to insert a firewall rule for every matching IP:# (run in a loop) tcpdump -nlpi ppp0 port 123 and dst host 1.2.3.4 -c 100 > queue for x in `grep "client, strat 0, poll 0, prec 0" queue | awk '{print $3}' | c ut -d '.' -f 1-4`; dogrep $x banned &>/dev/null || (echo $x | tee -a banned; iptables -I INPUT -s $x -j NTP)doneMaybe I'm missing something, but what's the point of doing this? Do we know the virus stops polling, or changes its behaviour in any way when faced with such a block?
Assuming it is a virus, since it seems real clients do this too :/If a virus is using NTP, stopping it getting replies will let the clock drift so that it can't aim to start at the same time as other instances.
-- Simon Arlott
signature.asc
Description: OpenPGP digital signature
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
