Сервера входящие в группу pool.ntp.org используются известным проектом shodan для сканирования клиентов.
Лука Бруно (Luca Bruno), разработчик Debian, говорит:
In summary, some machines (which seem related to the shodan.io scanning project) are actively participating in pool.ntp.org as IPv6 endpoints. However, clients connecting to them for NTP timesync, are subsequently scanned by probes originating from *.scan6.shodan.io hosts.
Далее приводит пруф, и слезно умоляет что-нибудь сделать:
For ntp.org admins: can those rogue server be expunged from the pools, and the whole shodan.io situation clarified? (Brad's post has a comprehensive endpoints list and helper tools for detection)
For oss-sec crowd: is there anything we can do to improve the situation and avoid similar cases in the future? Should crowd-sourced and fundamental services like this be encouraged to move to a stronger WoT?
