11-18-2019 01:58 PM - edited 02-21-2020 09:42 AM
Hello,
Looking at my blocked traffic I see some TOR exit node IP (23.129.64.159). Strange thing is, the initiator IP is my SFR module. It's NTP traffic. What's going on here? Why is my SFR module looking at a TOR node for time? I looked at my FMC and the IP isn't listed in the time configuration.
11-19-2019 05:13 AM
The time server could have been set on the module during the initial setup. You can rerun that using the script:
/etc/sysconfig/configure-network
...from cli on your module. (you may need to "sudo su -" first)
What (if anything) do you have set on FMC under System > Local > System Policy?
11-19-2019 09:14 AM
Hi Marvin,
I don't have any option in my FMC for System > Local > System Policy but I do have System > Configuration > Time which displays this:
The blocked IP isn't listed there.
I ran the
/etc/sysconfig/configure-network
But there wasn't an option for a NTP server there before it completed.
After I ran the configure-network this error popped up in the FMC but it cleared itself up after a few min:
I ran the initial setup a couple of weeks ago when I re-imaged the SFR module, but I don't recall if I saw a setting for NTP there. If it was there it may not have been configured at that time.
Thank you for your help.
12-03-2019 04:36 AM
Hello,
I have the same events and most of the devices that initiate this traffic, belong to voice vlan (voip phones).
I haven's also configured this IP, i have left the default servers.
Did you find why this kind of traffic is being initiated from inside?
Thank you
12-03-2019 07:12 AM
@anousakisioannis wrote:Hello,
I have the same events and most of the devices that initiate this traffic, belong to voice vlan (voip phones).
I haven's also configured this IP, i have left the default servers.
Did you find why this kind of traffic is being initiated from inside?
Thank you
It was never clear as to why our SFR module was looking at that IP for time. I raised a ticket with TAC and the engineer had me create a platform setting policy configured to synchronize time with the FMC. Since I set up that platform setting policy I haven't seen the SFR trying to access the TOR IP.
In my case it was only the SFR module that was doing this. I hadn't seen any other devices touching that TOR IP.
12-03-2019 07:54 AM
In my case it was only the SFR module that was doing this. I hadn't seen any other devices touching that TOR IP.
I take that back... I just logged in and saw that a one of our field office Xerox printers and our BitDefender appliance tried to access the IP yesterday and the day before. Three occurrences, All port 123 NTP traffic.
12-03-2019 08:32 AM
It appears from my research using Cisco Umbrella Investigate that the suspect Emerald Onion-registered address is "squatting" on numerous NTP server DNS records. I'm not sure how this has come to pass but I suspect we may see more from Talos Intelligence on this eventually.
In any case, they include 0.sourcefire.pool.ntp.org (and 1., 2. and 3.)
12-04-2019 12:44 AM
How can we report it to Talos?
12-04-2019 04:12 AM
You can make a report to Talos using the following URL:
https://talosintelligence.com/reputation_center/support#reputation_center_support_ticket
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide