This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is this normal in UTM 9.2 ....

ntp server is not hardened enought ?

ntpq -c rv "UTM92-IP"
associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync,
version="ntpd 4.2.6p5@1.2349 Tue Feb  4 13:03:59 UTC 2014 (1)",
processor="x86_64", system="Linux/3.8.13.27-32.g5666955-smp64", leap=00,
stratum=3, precision=-22, rootdelay=55.022, rootdisp=65.708,
refid=37.187.107.140,
reftime=d82f3c76.fed524c4  Sun, Dec  7 2014 21:52:06.995,
clock=d82f3c98.714de5fe  Sun, Dec  7 2014 21:52:40.442, peer=54678, tc=7,
mintc=3, offset=0.498, frequency=-14.866, sys_jitter=0.752,
clk_jitter=0.624, clk_wander=0.086

... sophos utm and ntp stack is open ....

"How can I check my server? - run the command ntpdc -n -c monlist 192.0.2.1 or ntpq -c rv 192.0.2.1 - If you see a response, your server may be used in attacks."

good job ...

bye

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

What do you have set for NTP Allowed Networks in your UTM (Network Services>>NTP)?
Were you checking from an internal machine or from over the internet?
Do you have a DNAT forwarding NTP requests to something on your internal network?

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 ledufakademy over 10 years ago in reply to Scott_Klassen

What do you have set for NTP Allowed Networks in your UTM (Network Services>>NTP)?
Were you checking from an internal machine or from over the internet?
Do you have a DNAT forwarding NTP requests to something on your internal network?

checking from lan, this normal use BUT if a workstation is infected, the bot can use ntp reflection attack in order to make a dos.

"monlist" command but also "rv" MUST BE DISABLE,
"rv : the state of the local clock can be determined using the rv command"
in both case with a simple ip src spoofing the utm will act as a massive reflector for the src ip wihich is ther target ... it's a massive DOS iwth ntp.

Juniper also had this problem..

poc here : Blog Stéphane Bortzmeyer: Un exemple d'attaque NTP par réflexion
(in french)
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ledufakademy over 10 years ago in reply to Scott_Klassen

What do you have set for NTP Allowed Networks in your UTM (Network Services>>NTP)?
Were you checking from an internal machine or from over the internet?
Do you have a DNAT forwarding NTP requests to something on your internal network?

checking from lan, this normal use BUT if a workstation is infected, the bot can use ntp reflection attack in order to make a dos.

"monlist" command but also "rv" MUST BE DISABLE,
"rv : the state of the local clock can be determined using the rv command"
in both case with a simple ip src spoofing the utm will act as a massive reflector for the src ip wihich is ther target ... it's a massive DOS iwth ntp.

Juniper also had this problem..

poc here : Blog Stéphane Bortzmeyer: Un exemple d'attaque NTP par réflexion
(in french)
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BrucekConvergent over 10 years ago in reply to ledufakademy

I suggest you contact Sophos via phone or email per the info on this page Contact Support - Sophos Technical Support: SophosTalk, Knowledgebase, User Bulletin Board and Customer Resource Centers - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server, Web, Wireless Security, Network Storage and Next-Gen Firewall (choose I have Premium Support for the listing) and inform them of your findings.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 flichtenheld over 10 years ago in reply to BrucekConvergent

Hi.

I can confirm that UTM currently only disables the monlist command, it does not completely disable all query commands. The monlist command was the one used originally for the DDoS attacks and has a much higher amplication factor than all other commands.

We will investigate whether it might be better to disable queries completely.

Regards,
Frank
Cancel
Vote Up 0 Vote Down

Cancel
0 darrellr_01 over 10 years ago in reply to ledufakademy

checking from lan, this normal use BUT if a workstation is infected, the bot can use ntp reflection attack in order to make a dos.

How would the workstation, making a request to the ntpd on the server, cause a DoS? Are you talking about causing a DoS of the internal network from the internal network? That *might* be possible, but that would be a terribly ineffcient and noisy way to try to cause a DoS. Once you are on the inside, there are far more interesting things one could do. But the UTM should not be vulnerable to spoofing, and even if you did spoof, as indicated above, if your allowed list in NTP is configured properly, it wouldn't allow the spoofed addresses anyway. I might be misunderstanding, but an attacker inside your protected network, is probably not looking to cause a DoS from inside your network.
Cancel
Vote Up 0 Vote Down

Cancel

Is this normal in UTM 9.2 ....

Submitted a Tech Support Case lately from the Support Portal?