On January 25, 2019 3:36:36 a.m. CST, Trevor Cordes trevor@tecnopolis.ca wrote:
I noticed that at one of the customers I have that uses low-end business MTS has had their NTP incoming/outgoing port (UDP 123) cut off (filtered) at the ISP. Incoming I can understand, but outgoing? All the computers in the office have their time out of sync now.
Does anyone know what the internal Bell/MTS time server's IP/domain is? Surely they didn't cut us off to their internal one.
Will have the customer contact them eventually, but you know how it goes with tech support. Looking for the quick solution...
Anyone else have their UDP 123 cut off since Bell came along?
Further: it looks like they are filtering outgoing only if your source port is also 123. That is hardcoded into ntp (from what I've read). But ntpdate allows the -u option to have the src port be >1024. I tried that and ntpdate -u does work, but ntpdate without the -u gets blocked. So they really are blocking in and out, but only src=123udp.
Looks like chrony (and others) lets you specify src port, but I'm loathe to uproot the system I know because Bell is braindead. (MTS didn't use to block it, and block-happy Shaw does not block it.) _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
MTS has been blocking NTP for at least 3 years, I think more but can't be certain. They did it when NTP was being exploited as a DDoS vector worldwide. Apparently enough customers had routers/PCs hooked up that were exploitable that it was becoming a serious nuisance. IIRC a handful of "important" NTP servers are whitelisted, e.g. time.windows.com and the equivalent from Apple. The source port limitation is specifically because only full-fledged NTP server implementations were vulnerable, and they must by definition use port 123. The block only exists for ADSL/VDSL/FTTH customers AFAIK. Business fibre and SHDSL customers are expected to run firewalls that work. -Adam