On Sat, 2009-04-04 at 22:47 +0200, Martin Schröder wrote: > Notable things: > - all systems are in the subnet 95.65.128.0/17, a turkish DSL provider > - some systems appear multiple times in the list > - the ports "scanned" are all >1024 > > To me this looks like systems from the subnet flooded our ntpd with > requests, and the provider detected the resulting traffic as "scan".
I find it somewhat disconcerting that the abuse report doesn't include the source *port*. That would be the quickest and easiest way to verify that NTP was involved. However, it sounds like someone just got a new firewall and didn't think things through before firing off an abuse complaint. > I want to add this: > ------------------- > restrict 95.65.128.0 mask 255.255.128.0 ignore > ------------------- > to block KOCNET-DSL. Are there better options? It looks like the traffic wasn't to a single IP address; most rate-limiting methods react by IP address and wouldn't catch this. If I received a similar complaint, I'd consider it a request from the network in question to drop NTP queries from their network. (It's impossible to be sure, of course, without knowing the source port!) -rt -- Ryan Tucker <[email protected]>
signature.asc
Description: This is a digitally signed message part
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
