On 2012-08-09T17:04:06+0200, Koos van den Hout <[email protected]> wrote: > Quoting Sean Reifschneider who wrote on Tue 2012-08-07 at 15:45: > > > On 08/07/2012 01:03 PM, Ask Bjørn Hansen wrote: > > > I don't think that IP address has ever been > > > part of the NTP Pool, it is however listed on > > > http://support.ntp.org/bin/view/Servers/NtpOneTummyCom (which is > > > unrelated to the NTP Pool). > > > > It definitely was listed back before 2005... We were in the pool for > > several years, but over the period of a week or two we had two rather irate > > people call our emergency support line, demanding that we fix the system > > that was attacking their network. On port 123/udp. In response to packets > > from their network. :-( So I removed us from the pool. > > I had two of those (via e-mail) kindly sending in the 'evidence' in the > form of logfiles from their "firewall". Explaining the service and that > it only responded to requests did not help because that was not what the > "firewall" was saying, so I decided to add a firewall drop rule for the > source IPs 83.162.1.106, 86.83.253.130 and 12.34.195.206. > > According to pflog, they still try from time to time so either they > fixed their "firewall" or they are slowly going through the pool, one > complaint at a time.
Your NTP server could be responding to requests with forged source IP addresses, so in a sense, your server really is "attacking" a third-party. -- Kenyon Ralph
signature.asc
Description: Digital signature
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
