Chuck Swiger wrote:
Hi--
On Oct 17, 2012, at 10:04 AM, sh3120 wrote:
Have sites complaining that 72.8.140.222 is showing up on command and control
server. After research determined that IP is listed in the NTP.POOL.ORG listing
of time servers. Unsure who to report this too to get it off the list.
The mailing list for the NTP pool is <[email protected]>.
Whether a machine has been infected by malware is not related directly to
whether it is
serving good time. The NTP pool has a scoring mechanism which will remove that
IP if
it no longer provides good time:
I think that is not the issue.
The problem is that some intrusion detection systems or ISP systems that
attempt to detect malware
will see that someone is communicating with an IP that is on a list of command
and control servers,
without checking in detail what kind of communication it is.
The result is all kinds of alarm bells going off, and potentially the customer
being disconnected
and advised to scan their system for malware.
So, we should (if we are not already doing so, I seem to remember that this
subject was discussed before)
remove any systems that are know to be C&C servers from the list of active NTP
servers, no matter
if they are serving correct time or not.
Of course it will not protect everyone. When the client is a user that reboots
every day,
he will stop using that particular address within a couple of hours. But a
server that has once
learned the address could keep using it nearly forever.
And of course to implement a feature like this, some feed of coming and going
C&C servers is
required.
Rob
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
