TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: VIRUS GUY
date: 2014-12-21 02:04:00
subject: Re: Jesus Christ! - even
While using improper usenet message-composition style by unnecessarily
full-quoting, "David H. Lipman" wrote:

> > Attack code exploiting critical bugs in net time sync puts
> > servers at risk

> It explains the extra activity hitting one of my Routers.
> 
> [DoS Attack: TCP/UDP Chargen] from source: 108.61.73.244, port 123
> [DoS Attack: TCP/UDP Chargen] from source: 149.20.68.17, port 123
> [DoS Attack: TCP/UDP Chargen] from source: 149.20.68.17, port 123
> [DoS Attack: TCP/UDP Chargen] from source: 149.20.68.17, port 123
> [DoS Attack: TCP/UDP Chargen] from source: 162.243.55.105, port 123
> [DoS Attack: TCP/UDP Chargen] from source: 162.243.55.105, port 123
> [DoS Attack: TCP/UDP Chargen] from source: 162.243.55.105, port 123
> [DoS Attack: TCP/UDP Chargen] from source: 166.70.136.41, port 123
> [DoS Attack: TCP/UDP Chargen] from source: 198.110.48.12, port 123

Um - did you notice that 149.20.68.17 resolves to pool-test.ntp.org?

Do you really believe that pool-test.ntp.org is probing you for this NTP
vulnerability?

As to why you would be receiving NTP queries from pool-test.ntp.org, I
have no idea.  Anyone care to put forward an explanation?

Your other IP's resolve to:

108.61.73.244  = helium.constant.com
162.243.55.105 = server1.nyc.shellvatore.us
166.70.136.41  = 166-70-136-41.xmission.com
198.110.48.12  = time01.muskegonisd.org

Someone thinks that you are operating a registered public NTP server on
your IP.

I myself am seeing NTP queries on my home router, from:

46.36.38.113    = (cute - it resolves to a null FQDN)
71.6.165.200    = census12.shodan.io
134.147.203.115 = scanresearch1.syssec.ruhr-uni-bochum.de

shodan.io is an outfit that is probing all of IPv4 space, looking for
connected devices (routers, cameras, etc) as it builds a "census" of the
"internet of things".

134.147.203.115 is also probing my IP on port 53.  A German university
host that's scanning the internet - a questionable use of public
educational resources if you ask me.

By the way, since when does a single (or even a handful) of NTP queries
constitute a "DoS Attack" ?

I think the point of malicious NTP queries is to probe for this
newly-discovered vulnerability - not to perform a DoS attack.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.