Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jan 2016 17:05:55 +0400
From: Loganaden Velvindron <loganaden@...il.com>
To: oss-security@...ts.openwall.com
Cc: pool@...ts.ntp.org, linuxbrad@...il.com, team@...urity.debian.org, 
	secalert@...hat.com
Subject: Re: shodan.io actively infiltrating ntp.org IPv6 pools
 for scanning purposes

On Wed, Jan 27, 2016 at 3:24 PM, Luca BRUNO <lucab@...ian.org> wrote:

> [cross-posted to pool-ntp and oss-sec]
>
> Hi,
> while reviewing network logs this morning I spotted some anomalies related
> to scan probes, ntp.org pools and IPv6.
>
> It looks like Brad already observed and blogged about this some days ago,
> but I haven't seen this discussed in the usual ntp-pools, Debian and
> oss-sec ML, so I'm reposting this here:
>
> http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html
>
> In summary, some machines (which seem related to the shodan.io scanning
> project)
> are actively participating in pool.ntp.org as IPv6 endpoints.
> However, clients connecting to them for NTP timesync, are subsequently
> scanned
> by probes originating from *.scan6.shodan.io hosts.
>
>
Shouldn't we have some kind of policy for operators participating in
pool.ntp.org to prevent such issues ?

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ