cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

SFR Module NTP Traffic Blocked

-Sparrow-
Beginner
Beginner

Hello,

 

Looking at my blocked traffic I see some TOR exit node IP (23.129.64.159).  Strange thing is, the initiator IP is my SFR module.  It's NTP traffic.  What's going on here?  Why is my SFR module looking at a TOR node for time? I looked at my FMC and the IP isn't listed in the time configuration.

SFR NTP.PNG

 

8 REPLIES 8

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

The time server could have been set on the module during the initial setup. You can rerun that using the script:

/etc/sysconfig/configure-network

...from cli on your module. (you may need to "sudo su -" first)

What (if anything) do you have set on FMC under System > Local > System Policy?

Hi Marvin,

I don't have any option in my FMC for System > Local > System Policy but I do have System > Configuration > Time which displays this:

NTP.PNG

The blocked IP isn't listed there.

I ran the 

/etc/sysconfig/configure-network

But there wasn't an option for a NTP server there before it completed. 

After I ran the configure-network this error popped up in the FMC but it cleared itself up after a few min:

Tunneling.PNG

I ran the initial setup a couple of weeks ago when I re-imaged the SFR module, but I don't recall if I saw a setting for NTP there.  If it was there it may not have been configured at that time.

Thank you for your help.

Hello,

 

I have the same events and most of the devices that initiate this traffic, belong to voice vlan (voip phones).

I haven's also configured this IP, i have left the default servers.

 

Did you find why this kind of traffic is being initiated from inside?

 

Thank you


@anousakisioannis wrote:

Hello,

 

I have the same events and most of the devices that initiate this traffic, belong to voice vlan (voip phones).

I haven's also configured this IP, i have left the default servers.

 

Did you find why this kind of traffic is being initiated from inside?

 

Thank you



It was never clear as to why our SFR module was looking at that IP for time.  I raised a ticket with TAC and the engineer had me create a platform setting policy configured to synchronize time with the FMC.  Since I set up that platform setting policy I haven't seen the SFR trying to access the TOR IP.

SFR Platform Setting.PNG

In my case it was only the SFR module that was doing this.  I hadn't seen any other devices touching that TOR IP.

 

 


In my case it was only the SFR module that was doing this.  I hadn't seen any other devices touching that TOR IP.

 

 


I take that back... I just logged in and saw that a one of our field office Xerox printers and our BitDefender appliance tried to access the IP yesterday and the day before.  Three occurrences, All port 123 NTP traffic. 

It appears from my research using Cisco Umbrella Investigate that the suspect Emerald Onion-registered address is "squatting" on numerous NTP server DNS records. I'm not sure how this has come to pass but I suspect we may see more from Talos Intelligence on this eventually.

 

In any case, they include 0.sourcefire.pool.ntp.org (and 1., 2. and 3.)

Known domains hosted by 23.129.64.159

How can we report it to Talos?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: