[ntp:questions] Source port for NTP

Geoff Down geoffdown at fastmail.net
Thu Oct 22 02:26:34 UTC 2015


Hi,
 I am occasionally getting outgoing firewall alerts from NTP attempting
 to send packets back to random destinations. Although I have the latest
 NTP and thus am not susceptible to NTP amplification DDoS attempts, I
 would prefer not to be bugged by people scanning for vulnerable
 servers. I assume that UDP packets are getting through the router due
 to 'full cone NAT' as explained at
https://isc.sans.edu/forums/diary/Part+2+Is+your+home+network+unwittingly+contributing+to+NTP+DDOS+attacks/18549/
and the fact that NTP is always using port 123 as the source port when
it polls the remote time server every minute; thus leaving port 123 open
on the router all the time, since it never times out.
 There are obviously ways to block the unwanted UDP packets after they
 have reached the local network, but I'd rather they got blocked at the
 router. To this end, can NTP be made to use a random source port (in
 client/server mode)?
 Ancillary question: can ntpd/ntpq/ntpdc be queried to confirm the
 configuration file *actually* used when ntpd was invoked?
Thanks,
Geoff Down

-- 
http://www.fastmail.com - mmm... Fastmail...



More information about the questions mailing list