Hello
I have been using unraid for 3 years now, and i thought i startet to get the hang of it. However recently i have had network issues because of my router / network line being bogged down by ntp requests. This is very much out of my knowledge zone so i need to ask here for help. My Isp has been getting notices from NORCert ( Norwegian Computer Emergency Response Team ) who try to prevent malicious internet activity.
To give some context to why i think this is ntp traffic i will share an email from my isp (this is translated using google translate from norwegian to english).:
"
Hello.
The following mail comes from NorCERT periodically.
Can you take a check on this?
See attachment and under.
----------------------------------------------
----- BEGIN PGP signed MESSAGE -----
Hash: SHA1
NorCERT has received a report regarding clients in their networks. We want to make you aware that these reports come from a third party, and we recommend that you as far as possible by trying this information, as reports may contain false positives.
Data in the attachment are in most cases all the details we possess, but we can help if something should be unclear. The attachment to this email in CSV format, with a header that contains the column names.
Each row represents a reported IP, and the same IP may appear several times in the report, with different timestamp. Unless otherwise stated, the timestamp given in UTC.
Amplification / openresolvers:
This notification contains the addresses of services that communicate over UDP and can be easily used for DDOS attacks through UDP reinforcement.
Because the return address on UDP packets can be forged, a large proportion of the traffic in DDoS attacks from services like those in this notice.
The common denominator for these services is that they deliver many times the amount of data used on the requests, which are used to reinforce the attack. Examples of these are open DNS resolvers, machinery that responds to the NTP Monitor command, charge and qotd services.
More detailed information can be found on the websites of the US-CERT:
http://www.us-cert.gov/ncas/alerts/TA13-088A
You may find the services are supposed to be available from the internal network, but in those cases we notify reply also on external requests.
These services can be checked from remote IP addresses with these
commands:
dns/openresolver: dig +short test.openresolver.com TXT @[ip]
ntp-monitor: ntpdc -n -c monlist [ip]
ntp-version: ntpq -c rv [ip]
chargen: nc -u [ip] 19, then <enter>
NetBIOS: nbtstat -A [ip]
qotd: nc -u [ip] 17, then <enter>
snmp: snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.1.0
If you get a reply then,
snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.5.0
Be aware that people the IP as notified is the one who gave a response to an inquiry.
If a machine has a public interface that accepts requests, but has a default route through another machine / gateway, so the answer to forespørelen come from the gateway, and it is the gateway that is included in the notification.
----- BEGIN PGP SIGNATURE -----
Version: GnuPG v1
iQIcBAEBAgAGBQJcGduiAAoJEOGQvmlqN87kJf4QAMOdDCzLAhzpjPTmv4KFy7rl
7PcGDhgLncHDiQEcpK + t0YHOGhVHLVEXn0i839p99CjXojs / wn / m13 / Ua5itWl8l
idyNIvB9n / MR9T57I7vCgNMOZJ3OlEiUnvdKWujD3RXjnyxKVa8KOFL / s2i + hr5i
HeBz4CsQWY42j6tSSIn2N6vWFwlMWNjxd3KznhBWBnZglrErHopW8NYpRR85M7MF
2dgnyubMQSZUVw2Bzm1ngArPKJuLiGkKbXJEcCEJcNpOnBVweh9nkek0 + 29kVBSv
9wAPNQhYpe7BceiUC / v6QzDIXQ853Zsyr1BuG774Rz4WPtCYgHexS / TIaCy2zzde
de2i3R289tW1gO8GgRgt + BAO3ZDjaOLUZsOAWeDmPjbRGH6EJtyvSBmsVrYPvOo2
MRrr7ABZAogDkiiBT66VRanlp2zRHJZuqJt1gFMPrEIdKQMmeF67q6tSUDWhO5H4
JOAD8TcotUCKqjZtw3w07tgWfpjsqWQ43tRUZeVFTmhVXiwrjm5yMKcaA9LOVwpA
nql6HYYWmZUKMRDvk0E / G + Y82gq0Phb7bPaMKV6yOSYWDB3ZdESLZW // 6F + vP9O7
2WBzfp7 + DfyvazsKgBvDlnpYwkLMbAlPbQQt + tESkMbIoiwa4858bXyH4MpE9qBK
5KYIKdToJHxPFhTM3veE
= VyCa
----- END PGP SIGNATURE -----
"
This is what is written in the attachement.
category,"timestamp","src_ip","src_asn","src_port","src_host","dst_ip","dst_asn","dst_port","dst_host","comment"
amplification-ntp-monitor,"2018-12-18 07:11:27","xxx.xxx.xxx.xxx",52157,123,"xxx.xxx.xxx.xxx","0.0.0.0",0,0,"","[packets]:2 :664"
----------------------------------------------
As far as i can understand there is traffic from port 123 which is used for ntp. I have been in contact with my isp over these issues, but we cant make any sense of it.
I dont have an ports opened to my unraid server. Telnet has been disabled aswell as unpnp. The only dockers i am running are Pihole and Darkstat.
When i got this email in december i tried to reinstall unraid completely in case there was some malicious software on the server itself, but this did not help.
Yesterday i got very high ping ingame, and i also had between 1000-2000 ping to my router internally. So i shut down the unraid box and unplugged it from the network. This fixed the ping issue. I have attached a picture provided by my isp which shows the ping from them to my router. I unplugged the unraid box around 6pm (I replugged the unraid box 4am).
Today i also tried blocking port 123 udp in iptables, but i have yet to see if it had any effect.