Date: Wed, 27 Jan 2016 17:05:55 +0400 From: Loganaden Velvindron <loganaden@...il.com> To: oss-security@...ts.openwall.com Cc: pool@...ts.ntp.org, linuxbrad@...il.com, team@...urity.debian.org, secalert@...hat.com Subject: Re: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes On Wed, Jan 27, 2016 at 3:24 PM, Luca BRUNO <lucab@...ian.org> wrote: > [cross-posted to pool-ntp and oss-sec] > > Hi, > while reviewing network logs this morning I spotted some anomalies related > to scan probes, ntp.org pools and IPv6. > > It looks like Brad already observed and blogged about this some days ago, > but I haven't seen this discussed in the usual ntp-pools, Debian and > oss-sec ML, so I'm reposting this here: > > http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html > > In summary, some machines (which seem related to the shodan.io scanning > project) > are actively participating in pool.ntp.org as IPv6 endpoints. > However, clients connecting to them for NTP timesync, are subsequently > scanned > by probes originating from *.scan6.shodan.io hosts. > > Shouldn't we have some kind of policy for operators participating in pool.ntp.org to prevent such issues ?
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ