[RndTbl] MTS blocking NTP
athompso at athompso.net
Fri Jan 25 07:50:23 CST 2019
On January 25, 2019 3:36:36 a.m. CST, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>I noticed that at one of the customers I have that uses low-end
>MTS has had their NTP incoming/outgoing port (UDP 123) cut off
>at the ISP. Incoming I can understand, but outgoing? All the computers
>the office have their time out of sync now.
>Does anyone know what the internal Bell/MTS time server's IP/domain is?
>Surely they didn't cut us off to their internal one.
>Will have the customer contact them eventually, but you know how it
>with tech support. Looking for the quick solution...
>Anyone else have their UDP 123 cut off since Bell came along?
>Further: it looks like they are filtering outgoing only if your source
>port is also 123. That is hardcoded into ntp (from what I've read).
>ntpdate allows the -u option to have the src port be >1024. I tried
>and ntpdate -u does work, but ntpdate without the -u gets blocked. So
>they really are blocking in and out, but only src=123udp.
>Looks like chrony (and others) lets you specify src port, but I'm
>to uproot the system I know because Bell is braindead. (MTS didn't use
>block it, and block-happy Shaw does not block it.)
>Roundtable mailing list
>Roundtable at muug.ca
MTS has been blocking NTP for at least 3 years, I think more but can't be certain.
They did it when NTP was being exploited as a DDoS vector worldwide. Apparently enough customers had routers/PCs hooked up that were exploitable that it was becoming a serious nuisance.
IIRC a handful of "important" NTP servers are whitelisted, e.g. time.windows.com and the equivalent from Apple.
The source port limitation is specifically because only full-fledged NTP server implementations were vulnerable, and they must by definition use port 123.
The block only exists for ADSL/VDSL/FTTH customers AFAIK. Business fibre and SHDSL customers are expected to run firewalls that work.
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Roundtable