09-03-2018 02:31 AM - edited 02-21-2020 08:11 AM
Hi Experts,
I am seeings frequent UDP-123(NTP traffic) logs on Cisco ASA Firewall, which is initiated from Internal LAN to Outside Internet. Source and destination port is 123. Can some one guide, what is causing this?
Understand, that UDP-123(NTP traffic) is used for time synchronisation, but why to different set of Public Internet servers frequently?
Thanks & Regards
Sreeraj
09-03-2018 03:20 AM
Hello,
ASA is doing its job of providing the information it can. You can either block it if required or refer to source and check the source host/server to see what configuration is causing the NTP traffic to be initiated.
You can take captures as well on internal interface of ASA is the syslog info is insufficient.
HTH
AJ
09-03-2018 03:58 AM - edited 09-03-2018 03:59 AM
Different devices typically have different sets of NTP-servers configured. All these servers are queried regularly to pick the "best" server out of the configured pool. These are the requests you are seeing here.
If you do not want that these many different servers are queried, you have to configure all your internal devices with the NTP-servers of your choice.
Here are some servers to choose from: http://support.ntp.org/bin/view/Servers/NTPPoolServers
09-05-2018 11:40 PM
Thank you for the advice provided.
Also, please suggest, on the Security vulnerability with respect to NTP protocol and ways to prevent the same. Is builting an Campus NTP Server a recommended solution for the same. Please provide more light/documentation.
Thanks & Regards
Sreeraj Murali
09-06-2018 02:02 AM
While ntp as a protocol does have its share of vulnerabilities and is not inherently secure, it is very far down on the list of things to worry about. Keeping accurate time across systems using NTP is a best practice; but spending much time on countermeasures against NTP vulnerabilities has a very very small return on investment.
I'd focus your efforts on email with phishing links, malware attachments and users browsing to bad websites. That will cover 95% or more of the threats to your infrastructure.
09-06-2018 02:23 AM
Thanks. We do Software as a service business, and all the Customer servers are hosted in our SAS environment. Currently, all the linux servers are having the time synchronised from public NTP Server, which i am thinking as a risk with NTP DDoS amblification attack. So, looking for a counter measure to mitigate this. Please advice.
09-06-2018 02:55 AM
You can always purchase a time server appliance that synchronizes its clock via a GPS antenna. Install it inside your network and then block all udp/123 ntp through your firewall.
You can find several with a quick web search. Prices vary widely (US$300 to US$5000) according to how "industrial strength" you need it to be.
https://www.amazon.com/TimeMachines-TM1000A-maintains-broadcast-Satellites/dp/B002RC3Q4Q
https://www.endruntechnologies.com/time-servers.htm
https://spectracom.com/products-services/precision-timing/enterprise-class-securesync
...etc.
09-06-2018 02:58 AM
Thanks, Can we have a provision of configuring Windows DNS Server(Domain Controller) as an NTP Server?
09-06-2018 03:10 AM
You can but it would still need to get time from an Internet-based time source.
It's also not designed to scale and hand out time to non-Windows systems. You could just as easily run a small Linux machine to act as your ntp server (or add the service onto an existing utility server you may already have).
https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server
09-06-2018 03:11 AM
You can but it would still need to get time from an Internet-based time source.
It's also not designed to scale and hand out time to non-Windows systems. You could just as easily run a small Linux machine to act as your ntp server (or add the service onto an existing utility server you may already have).
https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide