On Fri, 21 Feb 2014 20:35:03 -0500 (EST), Mouse
<[email protected]> wrote:
>That will continue for a nontrivial time.
Yes; since the amp attacker has no idea whether the target is being
bombarded...
>That was over a week ago. I'm still getting high rates of packets to
>port 123, even though I haven't supported monlist for over a week.
I did packet-drop rules in the router for the worst (avg < 4) hosts before
turning off query. It's at least two months since I last responded to any
external request other than time. The rules are still there, but six of
the original nine offenders are still chugging away. Turning off query
caused the number of new high-volume abusers joining the party to drop to
near zero.
Looking at logs for a router on another network that doesn't connect an NTP
server, I see at least one port 123 packet refused per hour, so they are
definitely still looking.
mdr
--
"There are no laws here, only agreements."
-- Masahiko
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
