Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1389 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NTP monlist?

Brian Buchanan
Hi,

I examined my Network live log today and watched thousands of NTP dropped entries fly by;

09:48:36 Default DROP UDP 69.162.86.180:80 66.46.243.38:123
09:48:36 Default DROP UDP 198.245.51.115:80 66.46.243.38:123
09:48:36 Default DROP UDP 88.156.212.91:80 66.46.243.35:123


I examined my NTP server settings and had allowed "ANY" to access the NTP server.

A quick google search revealed that the new hotness is an NTP reflection and amplification attack using NTP servers that support MON_GETLIST "monlist" 

Understanding and mitigating NTP-based DDoS attacks | CloudFlare Blog

I changed my NTP server settings to only support internal networks and the log events slowed and stopped.

Can anyone confirm that the UTM 9.106-17 and/or 9.108-23 has the potential to participate in NTP DDOS?

Thanks.


This thread was automatically locked due to age.
Parents
  • 0
    Hi, Brian. I don't have an answer, only a question: What do you gain by opening NTP up to the internet? I would have thought best practice would be to lock down internal services to internal traffic, but am I missing something? Does opening it up to external traffic increase accuracy or redundancy somehow?

    Just curious.

    Thanks,
      Jon.
Reply
  • 0
    Hi, Brian. I don't have an answer, only a question: What do you gain by opening NTP up to the internet? I would have thought best practice would be to lock down internal services to internal traffic, but am I missing something? Does opening it up to external traffic increase accuracy or redundancy somehow?

    Just curious.

    Thanks,
      Jon.
Children
No Data