"David H. Lipman"
news:b4-dnX43Xf4YugrJnZ2dnUU7-fudnZ2d@giganews.com Sun, 21 Dec 2014
20:03:19 GMT in alt.comp.anti-virus, wrote the following message:
> From: "Virus Guy"
>
>> While using improper usenet message-composition style by
>> unnecessarily full-quoting, "David H. Lipman" wrote:
>>
>>>> Attack code exploiting critical bugs in net time sync puts
>>>> servers at risk
>>
>>> It explains the extra activity hitting one of my Routers.
>>>
>>> [DoS Attack: TCP/UDP Chargen] from source: 108.61.73.244, port
>>> 123 [DoS Attack: TCP/UDP Chargen] from source: 149.20.68.17, port
>>> 123 [DoS Attack: TCP/UDP Chargen] from source: 149.20.68.17, port
>>> 123 [DoS Attack: TCP/UDP Chargen] from source: 149.20.68.17, port
>>> 123 [DoS Attack: TCP/UDP Chargen] from source: 162.243.55.105,
>>> port 123 [DoS Attack: TCP/UDP Chargen] from source:
>>> 162.243.55.105, port 123 [DoS Attack: TCP/UDP Chargen] from
>>> source: 162.243.55.105, port 123 [DoS Attack: TCP/UDP Chargen]
>>> from source: 166.70.136.41, port 123 [DoS Attack: TCP/UDP
>>> Chargen] from source: 198.110.48.12, port 123
>>
>> Um - did you notice that 149.20.68.17 resolves to
>> pool-test.ntp.org?
>>
>> Do you really believe that pool-test.ntp.org is probing you for
>> this NTP vulnerability?
>>
>> As to why you would be receiving NTP queries from
>> pool-test.ntp.org, I have no idea. Anyone care to put forward an
>> explanation?
>>
>> Your other IP's resolve to:
>>
>> 108.61.73.244 = helium.constant.com
>> 162.243.55.105 = server1.nyc.shellvatore.us
>> 166.70.136.41 = 166-70-136-41.xmission.com
>> 198.110.48.12 = time01.muskegonisd.org
>>
>> Someone thinks that you are operating a registered public NTP
>> server on your IP.
>>
>> I myself am seeing NTP queries on my home router, from:
>>
>> 46.36.38.113 = (cute - it resolves to a null FQDN)
>> 71.6.165.200 = census12.shodan.io
>> 134.147.203.115 = scanresearch1.syssec.ruhr-uni-bochum.de
>>
>> shodan.io is an outfit that is probing all of IPv4 space, looking
>> for connected devices (routers, cameras, etc) as it builds a
>> "census" of the "internet of things".
>>
>> 134.147.203.115 is also probing my IP on port 53. A German
>> university host that's scanning the internet - a questionable use
>> of public educational resources if you ask me.
>>
>> By the way, since when does a single (or even a handful) of NTP
>> queries constitute a "DoS Attack" ?
>>
>> I think the point of malicious NTP queries is to probe for this
>> newly-discovered vulnerability - not to perform a DoS attack.
>
> That was just a short excerpt from one log. There is way more to
> the log and I didn't care about who the IP belongs to. A couple of
> months ago, that wasn't in the log to the same level I am seeing
> Today.
At one point, I actually had a network configured to email logs to my
phone...... I stopped doing that in short order. Lots of incoming
blocked garbage. I explained it's mostly.. background noise.. and
people knocking on the door, but cannot come in. heh.
--
My truck does not leak. It's just marking its territory!
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|