I had this problem with my Colo recently, although in my case the abuse report was in response to sysind requests I was sending out on my own initiative. My response was to stop doing my survey. Haven't gotten a report for just serving time yet. That sucks; a busy ISP is likely to just assume the worst.
I got a copy of the intrusion report btw, it seemed to be treating any unexpected sysinfo request as an exploit. Kind of stupid. We could try to notify the security vendor of the false positive problem but I'm not optimistic. On Jan 3, 2008, at 13:14, [EMAIL PROTECTED] (Tim Shoppa) wrote: > My NTP server in the pool sends out the time to whoever asks for it. > > Problem is, some folks firewall off my replies, and even worse when > they > see my replies of what time it is coming back, they report these > as network attacks on their machines/networks from my network to > their network providers, who tells my network provider, who then > makes me fill out a form saying that I am not going to abuse the > network anymore. > > So far I've been blowing these off, but for some reason this really > has picked up over the holidays and now I apparently have to explain > multiple times a day why I'm sending traffic to port 123 at different > machines when they ask me what time it is. > > Has anyone here come up with a form-letter that explains that no, > these > are not network attacks (for some reason many of the complaints I > get specifically mention "ntp overflow exploits")? > > Strangely enough, the form-letter that I often get from ISP's > has a link to the "ntp overflow exploit" info page which explains > that this is really a false positive because ntpd has no known > overflow exploits... > > Tim. > _______________________________________________ > timekeepers mailing list > [email protected] > https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
