oss-sec mailing list archives
Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes
From: Loganaden Velvindron <loganaden () gmail com>
Date: Wed, 27 Jan 2016 17:05:55 +0400
On Wed, Jan 27, 2016 at 3:24 PM, Luca BRUNO <lucab () debian org> wrote:
[cross-posted to pool-ntp and oss-sec] Hi, while reviewing network logs this morning I spotted some anomalies related to scan probes, ntp.org pools and IPv6. It looks like Brad already observed and blogged about this some days ago, but I haven't seen this discussed in the usual ntp-pools, Debian and oss-sec ML, so I'm reposting this here: http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html In summary, some machines (which seem related to the shodan.io scanning project) are actively participating in pool.ntp.org as IPv6 endpoints. However, clients connecting to them for NTP timesync, are subsequently scanned by probes originating from *.scan6.shodan.io hosts.
Shouldn't we have some kind of policy for operators participating in pool.ntp.org to prevent such issues ?
Current thread:
- shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Luca BRUNO (Jan 27)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Loganaden Velvindron (Jan 27)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Richard Johnson (Jan 27)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Thomas B . Rücker (Jan 27)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Kurt Seifried (Jan 27)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Zach W. (Jan 27)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Hazel (Jan 29)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes enki (Jan 29)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Scott Herbert (Jan 29)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Daniel Micay (Jan 29)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Daniel Micay (Jan 29)
- Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes Loganaden Velvindron (Jan 27)