Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - Strange xntpd behavior

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - Strange xntpd behavior


Chronological Thread 
  • From: Andrew Gallo <>
  • To:
  • Subject: Re: [Security-WG] I2 - Strange xntpd behavior
  • Date: Fri, 22 Sep 2017 11:34:01 -0400
  • Ironport-phdr: 9a23:7qtKjhAnN0g8JZ7zLYAQUyQJP3N1i/DPJgcQr6AfoPdwSPvyosbcNUDSrc9gkEXOFd2CrakV26yO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoJKiA38G/XhMJzgqxUrh2uqB5jzIPPb4GZKOBzc7/Bcd4UR2dMWNtaWSxbAoO7aosCF/YMPeBFoInnuVQPowa1Cwi2C+Przj9IgWL90Kog3OQuCw7G2AggH9UVvXTbotT1Kb0eXv6ow6nV1DjOae5d1zn66IjNaB8hoPeMUKpxccrX1UkgCRnFjlOOpoz5IT+ZzPoCvHWG7+Z4U+KvjWgnqwdrrjip2Mgslo/EjZ8WxFDc7Sh13Yc4KcCiREJlYdOpHoFcuzybOoZ3WM8uXn9ktD4nxrEYupO3ZjUGxZUoyhLFdvCKfZKE7gzlWe2MOzl3nmhld6i6hxuq8Uiv1On8Vs6s3VZPtCVFk93MtmgX1xPO9MiIUOZy/kKg2DqRzgzT8eREIVwslabBNZEh2aQ8lpUdsETeBCP5hlj5jLKOekUl/Oin9fjnb637qpKdKoN4kB/yP6Qgl8ClHOg1MwkDU3KG9eiizLHj+Ff2QLROjv04iKnZt5XaKNwBqa62GQBV1oIj6xGkAjep3tUYgGMLI0xYdxKal4TpIU3BIOjkDfejhFShiCxryO7aMb38GJXNL2TDkbf4cbdz5E5R0w4zzdFE55JIEbENPuj/Wk73tNzEEBA5KQq0zPj7CNljzI8RR3+AArLKeJ/V5ESF7f81IvWdIZAakDf7N/U/4fPy1zk0lUJOU7Ou2M4+bnyiE+suDEydZX2k1t4OGGMOuSIxU/GshVGfB20AL02uVr4xs2loQLmtCp3OE9ig

Couple of questions-


Is this happening intermittently, or at set intervals?

Is A.B.C.D a legit IP attempting to request time, even if it should be filtered?  Any chance you could mirror the packet in the filter?

I just tried sending a Juniper router random traffic on udp 123- nothing was logged.


On 9/22/2017 10:53 AM, gcbrowni wrote:
A little help?

I’m seeing some syslog messages that indicate the router is trying to
respond/do something related to NTP. I understand the error message proper
but I don’t understand WHY the router is trying to engage in NTP activity.



The message looks like:
2017-09-21T16:02:51+00:00 nnnn.net.internet2.edu
<http://rtsw.port.net.internet2.edu/> xntpd[70981]: sendto(A.B.C.D): No route
to host

Node nnnn is telling me that that the NTP process (xntpd) can’t send a packet to
IP A.B.C.D. This is because A.B.C.D is in the CPS table and not in the R&E
table. That checks out.



But … there are loopback filters in place that should prevent the router ever
accepting the NTP packet from A.B.C.D in the first place. I can’t figure out
why/the-triggerring-event that is causing the router is trying to send NTP to
that host.

1) The first first term in the filter is a syslog that matches on "port 123". If it
matches any tcp/udp on port 123 it syslogs and then next terms. I see our normal and expected NTP
traffic being syslogged. Our final "deny" term is showing the non-authorized attempts
to connect to us. But I DONT see anything from A.B.C.D on port 123.

2) I don’t think you can send NTP data to the router on any port other than
123. Correct?

3) I don’t think there’s a way to get a 3rd party response. A sends NTP to B
who responds to C. I don’t think that’s possible.That means it can’t look
like a spoofed source IP from a valid IP.

4) Related to #3, I don’t think you can compose a v6 packet in such a way
that it will respond to a v4 address … so it can’t be the v6 filter that’s
the issue.

5) All RE bound packets inbound MUST pass through the RE/loop filter, correct?

6) Is there any reason for XNTPD to generate this message from an event OTHER
than receiving an NTP packet through the filter. In response to something
other than NTP? Trace, ping, a shell command/login? I don’t thin this can
happen.



Anyone have any other ideas?

-G

--
________________________________
Andrew Gallo
The George Washington University


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page