Page 1 of 1
SNTP client get unauthorized NTP requests
Posted: Thu Jan 11, 2018 4:51 pm
by paolopoz
I have some routers with SNTP client (the built-in one) enabled and working.
Some interfaces has public IP addresses but I don't have any firewall rule configured because I want to use FastPath.
Checking SNTP client status I often see this:
last-bad-packet-from: 162.209.xxx.xx
last-bad-packet-before: 6m43s410ms
last-bad-packet-reason: server-ip-mismatch
I had a packet capture and I saw that these packets are NTP requests coming in, as if the router was listening on port 123.
I think this should not happen. Has anybody noticed this?
Re: SNTP client get unauthorized NTP requests
Posted: Thu Jan 11, 2018 5:31 pm
by pe1chl
Those are people scanning the internet for all kinds of services to see if there is something they can abuse.
Whenever you have an open connection to internet you will see this, it is often called the background noise.
Re: SNTP client get unauthorized NTP requests
Posted: Thu Jan 11, 2018 5:54 pm
by paolopoz
Thanks pe1chl, this is of course some kind of scanning coming from big internet but this is not what I want to point out.
What I mean is: a client should just get back its request, then why do I see incoming packets as if the router was listening on port 123/UDP? This is a server behaviour.
Re: SNTP client get unauthorized NTP requests
Posted: Thu Jan 11, 2018 7:39 pm
by pe1chl
With UDP it is not possible to see the difference between a request and a reply.
(and to receive replies, you need to listen on a socket which you also use to send requests)
When you let in replies, you also let in requests.
That is why stateful firewalls exist....
Re: SNTP client get unauthorized NTP requests
Posted: Thu Jan 11, 2018 7:52 pm
by 16again
no firewall rules in forward chain for fastpath ....is sort of OK
But this shouldn't rule out firewall rules in in-chain (which isn't fst-pathed to begin with)
@ pe1chl
The 1st UDP packet is in my definition the request, I we block it in in-chain, there will be no reply