oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes

From: Loganaden Velvindron <loganaden () gmail com>
Date: Wed, 27 Jan 2016 17:05:55 +0400
On Wed, Jan 27, 2016 at 3:24 PM, Luca BRUNO <lucab () debian org> wrote:


[cross-posted to pool-ntp and oss-sec]

Hi,
while reviewing network logs this morning I spotted some anomalies related
to scan probes, ntp.org pools and IPv6.

It looks like Brad already observed and blogged about this some days ago,
but I haven't seen this discussed in the usual ntp-pools, Debian and
oss-sec ML, so I'm reposting this here:

http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html

In summary, some machines (which seem related to the shodan.io scanning
project)
are actively participating in pool.ntp.org as IPv6 endpoints.
However, clients connecting to them for NTP timesync, are subsequently
scanned
by probes originating from *.scan6.shodan.io hosts.



Shouldn't we have some kind of policy for operators participating in
pool.ntp.org to prevent such issues ?
Previous By Date Next
Previous By Thread Next

Current thread: