This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NTP monlist?

Hi,

I examined my Network live log today and watched thousands of NTP dropped entries fly by;

09:48:36 Default DROP UDP 69.162.86.180:80 66.46.243.38:123
09:48:36 Default DROP UDP 198.245.51.115:80 66.46.243.38:123
09:48:36 Default DROP UDP 88.156.212.91:80 66.46.243.35:123

I examined my NTP server settings and had allowed "ANY" to access the NTP server.

A quick google search revealed that the new hotness is an NTP reflection and amplification attack using NTP servers that support MON_GETLIST "monlist"

Understanding and mitigating NTP-based DDoS attacks | CloudFlare Blog

I changed my NTP server settings to only support internal networks and the log events slowed and stopped.

Can anyone confirm that the UTM 9.106-17 and/or 9.108-23 has the potential to participate in NTP DDOS?

Thanks.

This thread was automatically locked due to age.

0 JonEtkins over 11 years ago

Hi, Brian. I don't have an answer, only a question: What do you gain by opening NTP up to the internet? I would have thought best practice would be to lock down internal services to internal traffic, but am I missing something? Does opening it up to external traffic increase accuracy or redundancy somehow?

Just curious.

Thanks,
Jon.
Cancel
Vote Up 0 Vote Down

Cancel
0 Brian Buchanan over 11 years ago

It was open to join pool.ntp.org: the internet cluster of ntp servers and offer NTP services to the public.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi, the UTM is running NTP 4.2.6, which is vulnerable unless monlist is disabled in the config.

https://community.sophos.com/products/unified-threat-management/astaroorg/f/53/t/34313

Barry
Cancel
Vote Up 0 Vote Down

Cancel