Zitat von Rob Janssen <[email protected]>:
Chuck Swiger wrote:
Hi--
On Oct 17, 2012, at 10:04 AM, sh3120 wrote:
Have sites complaining that 72.8.140.222 is showing up on command
and control server. After research determined that IP is listed in
the NTP.POOL.ORG listing of time servers. Unsure who to report
this too to get it off the list.
The mailing list for the NTP pool is <[email protected]>.
Whether a machine has been infected by malware is not related
directly to whether it is
serving good time. The NTP pool has a scoring mechanism which will
remove that IP if
it no longer provides good time:
I think that is not the issue.
The problem is that some intrusion detection systems or ISP systems
that attempt to detect malware
will see that someone is communicating with an IP that is on a list
of command and control servers,
without checking in detail what kind of communication it is.
The result is all kinds of alarm bells going off, and potentially
the customer being disconnected
and advised to scan their system for malware.
So, we should (if we are not already doing so, I seem to remember
that this subject was discussed before)
remove any systems that are know to be C&C servers from the list of
active NTP servers, no matter
if they are serving correct time or not.
Of course it will not protect everyone. When the client is a user
that reboots every day,
he will stop using that particular address within a couple of hours.
But a server that has once
learned the address could keep using it nearly forever.
And of course to implement a feature like this, some feed of coming
and going C&C servers is
required.
No, this Pool is not intended to decide if someone is a good citizen
or not, but only to deliver good timesource. If you disagree you
should use some handcraftet timesource so you are free to apply any
rules you like.
Regards
Andreas
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
