On January 25, 2019 3:36:36 a.m. CST, Trevor Cordes <trevor@tecnopolis.ca> wrote:
I noticed that at one of the customers I have that uses low-end business
MTS has had their NTP incoming/outgoing port (UDP 123) cut off (filtered)
at the ISP. Incoming I can understand, but outgoing? All the computers in
the office have their time out of sync now.

Does anyone know what the internal Bell/MTS time server's IP/domain is?
Surely they didn't cut us off to their internal one.

Will have the customer contact them eventually, but you know how it goes
with tech support. Looking for the quick solution...

Anyone else have their UDP 123 cut off since Bell came along?

Further: it looks like they are filtering outgoing only if your source
port is also 123. That is hardcoded into ntp (from what I've read). But
ntpdate allows the -u option to have the src port be >1024. I tried that
and ntpdate -u does work, but ntpdate without the -u gets blocked. So
they really are blocking in and out, but only src=123udp.

Looks like chrony (and others) lets you specify src port, but I'm loathe
to uproot the system I know because Bell is braindead. (MTS didn't use to
block it, and block-happy Shaw does not block it.)
Roundtable mailing list
Roundtable@muug.ca
https://muug.ca/mailman/listinfo/roundtable

MTS has been blocking NTP for at least 3 years, I think more but can't be certain.
They did it when NTP was being exploited as a DDoS vector worldwide. Apparently enough customers had routers/PCs hooked up that were exploitable that it was becoming a serious nuisance.
IIRC a handful of "important" NTP servers are whitelisted, e.g. time.windows.com and the equivalent from Apple.
The source port limitation is specifically because only full-fledged NTP server implementations were vulnerable, and they must by definition use port 123.
The block only exists for ADSL/VDSL/FTTH customers AFAIK. Business fibre and SHDSL customers are expected to run firewalls that work.
-Adam
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.