For folks only looking for a cautionary tale, who don't worry about larger security trends and only want to keep their own machine safe, that's a fine takeaway.
For people who do care about network security, it is a very interesting post for a few reasons.
If someone is harvesting IPs from NTP queries sent to Debian infrastructure for intelligence gathering, that in itself is a big deal.
It is also a somewhat novel technique - if an attacker is placed such that they can see the first NTP queries sent by a new install, they are well placed to target that device before it is fully hardened/patched, because they likely see some of the first packets sent by that install. It is really rather clever.
It also points to the sort of correlation we need to be getting better at - orchestration isn't just for devops weenies anymore, and this sort of thing is only going to become more sophisticated.
I've been noodling about with making a tool for making this sort of analysis easier, but there are a number of problems to fix, not least of which is the sheer volume of data generated watching the wire, even on my home network (which is a bit absurd for your average home, but tiny compared to a business of any size).
Debian does use [0-3].debian.pool.ntp.org as the default NTP servers, however. Debian (and Ubuntu) also start up the NTP daemon as soon as the client is installed -- even before one has a chance to change those default servers.
For people who do care about network security, it is a very interesting post for a few reasons.
If someone is harvesting IPs from NTP queries sent to Debian infrastructure for intelligence gathering, that in itself is a big deal.
It is also a somewhat novel technique - if an attacker is placed such that they can see the first NTP queries sent by a new install, they are well placed to target that device before it is fully hardened/patched, because they likely see some of the first packets sent by that install. It is really rather clever.
It also points to the sort of correlation we need to be getting better at - orchestration isn't just for devops weenies anymore, and this sort of thing is only going to become more sophisticated.
I've been noodling about with making a tool for making this sort of analysis easier, but there are a number of problems to fix, not least of which is the sheer volume of data generated watching the wire, even on my home network (which is a bit absurd for your average home, but tiny compared to a business of any size).