<div dir="ltr"><div><div>Many ESX boxes do, as do many server IPMI devices, other OOB devices and telephony/vc devices. Out of the box even many Linux distros do. <br><br></div>It seems to be a default in many devices that turning on an NTP client also turns on a NTP server. In other words, if you're using NTP time sync on your network, a check should be performed just to be sure. "I'm only a client" doesn't mean you're safe.<br>
<br></div>Pretty simple to scan your own netblocks for it, <a href="http://vk5tu.livejournal.com/44795.html">http://vk5tu.livejournal.com/44795.html</a> has a good write up (hat tip to Glen Turner). <br><div><br><br></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Feb 12, 2014 at 2:25 PM, Joseph Goldman <span dir="ltr"><<a href="mailto:joe@apcs.com.au" target="_blank">joe@apcs.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    My ESX servers seemed to have NTP open by default too.<div><div class="h5"><br>
    <br>
    <div>On 12/02/14 15:15, Nathan Brookfield
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      
      
      <div>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We’ve
            had some customers boxes through UECOMM IP transit
            compromised this morning, only small links but they’re
            certainly going hard.  A few clients run Zimbra which is
            VMWare’s mail server and it appears to have NTP open by
            default.<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
        <p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" lang="EN-US">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" lang="EN-US"> AusNOG
            [<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">mailto:ausnog-bounces@lists.ausnog.net</a>]
            <b>On Behalf Of </b>Joshua D'Alton<br>
            <b>Sent:</b> Wednesday, 12 February 2014 3:03 PM<br>
            <b>Cc:</b> <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br>
            <b>Subject:</b> Re: [AusNOG] NTP reflection used for world's
            largest DDoS<u></u><u></u></span></p>
        <p class="MsoNormal"><u></u> <u></u></p>
        <div>
          <p class="MsoNormal">And looks like another one is running,
            level3 seems totally decimated at the moment, 100ms+ on
            usual routes.<u></u><u></u></p>
        </div>
        <div>
          <p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
          <div>
            <p class="MsoNormal">On Tue, Feb 11, 2014 at 2:51 PM, Daniel
              Watson <<a href="mailto:daniel@glovine.com.au" target="_blank">daniel@glovine.com.au</a>>
              wrote:<u></u><u></u></p>
            <div>
              <div>
                <div>
                  <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes-us-europe.aspx" target="_blank">http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes-us-europe.aspx</a><u></u><u></u></span></p>

                </div>
                <div>
                  <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><u></u> <u></u></span></p>
                </div>
                <div>
                  <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">What
                      is the world coming too.<u></u><u></u></span></p>
                </div>
                <div>
                  <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#888888"><u></u> <u></u></span></p>
                </div>
                <div>
                  <p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#888888">D.<u></u><u></u></span></p>
                </div>
              </div>
            </div>
            <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
              _______________________________________________<br>
              AusNOG mailing list<br>
              <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
              <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><u></u><u></u></p>
          </div>
          <p class="MsoNormal"><u></u> <u></u></p>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>