[RndTbl] MTS blocking NTP

Adam Thompson athompso at athompso.net
Fri Jan 25 07:50:23 CST 2019 

On January 25, 2019 3:36:36 a.m. CST, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>I noticed that at one of the customers I have that uses low-end
>business
>MTS has had their NTP incoming/outgoing port (UDP 123) cut off
>(filtered)
>at the ISP. Incoming I can understand, but outgoing?  All the computers
>in
>the office have their time out of sync now.
>
>Does anyone know what the internal Bell/MTS time server's IP/domain is?
>Surely they didn't cut us off to their internal one.
>
>Will have the customer contact them eventually, but you know how it
>goes
>with tech support.  Looking for the quick solution...
>
>Anyone else have their UDP 123 cut off since Bell came along?
>
>Further: it looks like they are filtering outgoing only if your source
>port is also 123.  That is hardcoded into ntp (from what I've read). 
>But
>ntpdate allows the -u option to have the src port be >1024.  I tried
>that
>and ntpdate -u does work, but ntpdate without the -u gets blocked.  So
>they really are blocking in and out, but only src=123udp.
>
>Looks like chrony (and others) lets you specify src port, but I'm
>loathe
>to uproot the system I know because Bell is braindead.  (MTS didn't use
>to
>block it, and block-happy Shaw does not block it.)
>_______________________________________________
>Roundtable mailing list
>Roundtable at muug.ca
>https://muug.ca/mailman/listinfo/roundtable

MTS has been blocking NTP for at least 3 years, I think more but can't be certain.
They did it when NTP was being exploited as a DDoS vector worldwide.  Apparently enough customers had routers/PCs hooked up that were exploitable that it was becoming a serious nuisance.
IIRC a handful of "important" NTP servers are whitelisted, e.g. time.windows.com and the equivalent from Apple.
The source port limitation is specifically because only full-fledged NTP server implementations were vulnerable, and they must by definition use port 123.
The block only exists for ADSL/VDSL/FTTH customers AFAIK.  Business fibre and SHDSL customers are expected to run firewalls that work.
-Adam
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20190125/f14e5aa4/attachment.html>

More information about the Roundtable mailing list