[c-nsp] NTP DDoS
SilverTip257
silvertip257 at gmail.com
Wed Feb 12 21:12:45 EST 2014
On Wed, Feb 12, 2014 at 2:36 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> > Something I can point customers to for testing their own set ups. ;)
>
What I was trying to say is that openntp project URL is something I can
point customers at and they should understand. Some of my customers are
dense.
Sadly, a few of them try to tell me that information I give them doesn't
work. But when they say "hey, here's my credentials, why don't you fix it
for me?" ... I come to find (yes, I'm a nice guy) that everything I sent
them was spot on (as I expected).
Copy+paste is over-rated. o_O
>
> On a Linux or mac
>
> ntpdc -c monlist xxx.xxx.xxx.xxx
>
Yep. And loopinfo and iostats commands.
nmap has a ntp-monlist script that is helpful (combined with the grep-able
output option).
I'm about due for running another ntp-monlist scan ... [when DNS
amplification attacks were real bad a few months ago, we told a customer to
disable DNS recursion ... he instead shut off bind/named for that day and
turned it back on some time later].
>
> If you get a reply (which will consist of a list of IP addresses that have
> sync'd with the daemon) then the server has a non optimal config. ... and
> if it's already been found by others they will all be listed. .. You might
> even see openntp project and team cymru servers listed ;)
>
> Alan
--
---~~.~~---
Mike
// SilverTip257 //
More information about the cisco-nsp
mailing list