cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2012
Views
10
Helpful
9
Replies

Repeated NTP-UDP123 logs on firewall

sreeraj.murali
Level 3
Level 3

Hi Experts,

I am seeings frequent UDP-123(NTP traffic) logs on Cisco ASA Firewall, which is initiated from Internal LAN to Outside Internet. Source and destination port is 123. Can some one guide, what is causing this?

 

Understand, that UDP-123(NTP traffic) is used for time synchronisation, but why to different set of Public Internet servers frequently?

 

Thanks & Regards

Sreeraj

9 Replies 9

Ajay Saini
Level 7
Level 7

Hello,

 

ASA is doing its job of providing the information it can. You can either block it if required or refer to source and check the source host/server to see what configuration is causing the NTP traffic to be initiated.

 

You can take captures as well on internal interface of ASA is the syslog info is insufficient.

 

HTH
AJ

Different devices typically have different sets of NTP-servers configured. All these servers are queried regularly to pick the "best" server out of the configured pool. These are the requests you are seeing here.

If you do not want that these many different servers are queried, you have to configure all your internal devices with the NTP-servers of your choice.

Here are some servers to choose from: http://support.ntp.org/bin/view/Servers/NTPPoolServers

Thank you for the advice provided.

Also, please suggest, on the Security vulnerability with respect to NTP protocol and ways to prevent the same. Is builting an Campus NTP Server a recommended solution for the same. Please provide more light/documentation.

 

Thanks & Regards

Sreeraj Murali

While ntp as a protocol does have its share of vulnerabilities and is not inherently secure, it is very far down on the list of things to worry about. Keeping accurate time across systems using NTP is a best practice; but spending much time on countermeasures against NTP vulnerabilities has a very very small return on investment.

 

I'd focus your efforts on email with phishing links, malware attachments and users browsing to bad websites. That will cover 95% or more of the threats to your infrastructure.

 

Thanks. We do Software as a service business, and all the Customer servers are hosted in our SAS environment. Currently, all the linux servers are having the time synchronised from public NTP Server, which i am thinking as a risk with NTP DDoS amblification attack. So, looking for a counter measure to mitigate this. Please advice.

You can always purchase a time server appliance that synchronizes its clock via a GPS antenna. Install it inside your network and then block all udp/123 ntp through your firewall.

 

You can find several with a quick web search. Prices vary widely (US$300 to US$5000) according to how "industrial strength" you need it to be.

 

https://www.amazon.com/TimeMachines-TM1000A-maintains-broadcast-Satellites/dp/B002RC3Q4Q

 

https://www.endruntechnologies.com/time-servers.htm

 

https://spectracom.com/products-services/precision-timing/enterprise-class-securesync

 

...etc.

 

Thanks, Can we have a provision of configuring Windows DNS Server(Domain Controller) as an NTP Server?

You can but it would still need to get time from an Internet-based time source.

 

It's also not designed to scale and hand out time to non-Windows systems. You could just as easily run a small Linux machine to act as your ntp server (or add the service onto an existing utility server you may already have).

 

https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server

You can but it would still need to get time from an Internet-based time source.

 

It's also not designed to scale and hand out time to non-Windows systems. You could just as easily run a small Linux machine to act as your ntp server (or add the service onto an existing utility server you may already have).

 

https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server

Review Cisco Networking for a $25 gift card