Re: Repeated NTP-UDP123 logs on firewall

sreeraj.murali · ‎09-03-2018

Hi Experts,

I am seeings frequent UDP-123(NTP traffic) logs on Cisco ASA Firewall, which is initiated from Internal LAN to Outside Internet. Source and destination port is 123. Can some one guide, what is causing this?

Understand, that UDP-123(NTP traffic) is used for time synchronisation, but why to different set of Public Internet servers frequently?

Thanks & Regards

Sreeraj

Ajay Saini · ‎09-03-2018

Hello,

ASA is doing its job of providing the information it can. You can either block it if required or refer to source and check the source host/server to see what configuration is causing the NTP traffic to be initiated.

You can take captures as well on internal interface of ASA is the syslog info is insufficient.

HTH
AJ

Karsten Iwen · ‎09-03-2018

Different devices typically have different sets of NTP-servers configured. All these servers are queried regularly to pick the "best" server out of the configured pool. These are the requests you are seeing here.

If you do not want that these many different servers are queried, you have to configure all your internal devices with the NTP-servers of your choice.

Here are some servers to choose from: http://support.ntp.org/bin/view/Servers/NTPPoolServers

sreeraj.murali · ‎09-05-2018

Thank you for the advice provided.

Also, please suggest, on the Security vulnerability with respect to NTP protocol and ways to prevent the same. Is builting an Campus NTP Server a recommended solution for the same. Please provide more light/documentation.

Thanks & Regards

Sreeraj Murali

Marvin Rhoads · ‎09-06-2018

While ntp as a protocol does have its share of vulnerabilities and is not inherently secure, it is very far down on the list of things to worry about. Keeping accurate time across systems using NTP is a best practice; but spending much time on countermeasures against NTP vulnerabilities has a very very small return on investment.

I'd focus your efforts on email with phishing links, malware attachments and users browsing to bad websites. That will cover 95% or more of the threats to your infrastructure.

sreeraj.murali · ‎09-06-2018

Thanks. We do Software as a service business, and all the Customer servers are hosted in our SAS environment. Currently, all the linux servers are having the time synchronised from public NTP Server, which i am thinking as a risk with NTP DDoS amblification attack. So, looking for a counter measure to mitigate this. Please advice.

Marvin Rhoads · ‎09-06-2018

You can always purchase a time server appliance that synchronizes its clock via a GPS antenna. Install it inside your network and then block all udp/123 ntp through your firewall.

You can find several with a quick web search. Prices vary widely (US$300 to US$5000) according to how "industrial strength" you need it to be.

https://www.amazon.com/TimeMachines-TM1000A-maintains-broadcast-Satellites/dp/B002RC3Q4Q

https://www.endruntechnologies.com/time-servers.htm

https://spectracom.com/products-services/precision-timing/enterprise-class-securesync

...etc.

sreeraj.murali · ‎09-06-2018

Thanks, Can we have a provision of configuring Windows DNS Server(Domain Controller) as an NTP Server?

Marvin Rhoads · ‎09-06-2018

You can but it would still need to get time from an Internet-based time source.

It's also not designed to scale and hand out time to non-Windows systems. You could just as easily run a small Linux machine to act as your ntp server (or add the service onto an existing utility server you may already have).

https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server

Marvin Rhoads · ‎09-06-2018

You can but it would still need to get time from an Internet-based time source.

It's also not designed to scale and hand out time to non-Windows systems. You could just as easily run a small Linux machine to act as your ntp server (or add the service onto an existing utility server you may already have).

https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server