Internet2 Network Security SIG

[gcbrowni <>]

A little help?

I’m seeing some syslog messages that indicate the router is trying to respond/do something related to NTP. I understand the error message proper but I don’t understand WHY the router is trying to engage in NTP activity. 

The message looks like:

2017-09-21T16:02:51+00:00 nnnn.net.internet2.edu xntpd[70981]: sendto(A.B.C.D): No route to host

Node nnnn is telling me that that the NTP process (xntpd) can’t send a packet to IP A.B.C.D. This is because A.B.C.D is in the CPS table and not in the R&E table. That checks out. 

But … there are loopback filters in place that should prevent the router ever accepting the NTP packet from A.B.C.D in the first place. I can’t figure out why/the-triggerring-event that is causing the router is trying to send NTP to that host.

1) The first first term in the filter is a syslog that matches on "port 123". If it matches any tcp/udp on port 123 it syslogs and then next terms. I see our normal and expected NTP traffic being syslogged. Our final "deny" term is showing the non-authorized attempts to connect to us. But I DONT see anything from A.B.C.D on port 123.

2) I don’t think you can send NTP data to the router on any port other than 123. Correct?

3) I don’t think there’s a way to get a 3rd party response. A sends NTP to B who responds to C. I don’t think that’s possible.That means it can’t look like a spoofed source IP from a valid IP. 

4) Related to #3, I don’t think you can compose a v6 packet in such a way that it will respond to a v4 address … so it can’t be the v6 filter that’s the issue.

5) All RE bound packets inbound MUST pass through the RE/loop filter, correct?

6) Is there any reason for XNTPD to generate this message from an event OTHER than receiving an NTP packet through the filter. In response to something other than NTP? Trace, ping, a shell command/login? I don’t thin this can happen.

Anyone have any other ideas?

-G

Attachment: smime.p7s
Description: S/MIME cryptographic signature