On Mon, Dec 30, 2013 at 5:52 PM, Ask Bjørn Hansen <[email protected]> wrote: <snip> > For what it's worth: > > So far I haven't seen any indications that the attackers are using ' pool.ntp.org' to find servers for the reflection attack. > > Of the people who've (privately) written to me many (most?) have said the attacked server was not in the pool so I think the attackers just scanned the internet to find IPs. >
As another datapoint, of the three servers I maintain that run ntpd on public IPs, the only one that got hit by this (used in a reflection/amplification attack) has never been in the pool. It wouldn't surprise me to learn that they were scanning the blocks of certain hosting providers or something of the sort. (Of course, I'm not arguing that admins shouldn't secure their servers immediately.) If they're helpful to anyone, I have some inbound packet captures from my machine that was hit by this that I can share offline. The queries have been coming in for days since I reconfigured the server to not respond. (Obviously, I expect that the IPs are bogus.) -- Matt _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
