On Saturday 05 January 2008 01.16:50 Arnold Schekkerman wrote: > Regardless of (currently known or unknown) security holes in your > ntp-server, by dropping everything that is not a normal time request you > are sure that you have closed that attack route.
Denying all ntp requests except regular queries is doubtless good practice
and is, I believe, not really the point under debate. The real issues here
are
* stupid sysadmins reporting IDS false positives to their ISP (and it is a
false positive if its just somebody sending a sysinfo to some ntp machine.
those requests are legitimate, and while site admins may chose not to reply
to them, sending them is not abuse, per se)
* stupid ISPs reacting on those bogus reports, or reacting on alarm bells
from their own monitoring systems on seeing "floods" of port 123 traffic.
Both issues are not something the pool project can do much about. But
perhaps an "Info for ISPs" web page explaining what ntp is about (from the
perspective of the abuse desk worker who can at most spend 2min on this
case) would be worthwile?
cheers
-- vbi
--
QOTD:
If it's too loud, you're too old.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
