Jump to content
Sundur

Issues with malicious traffic on port 123

5 posts in this topic Last Reply

Recommended Posts

Posted (edited)

Hello

 

I have been using unraid for 3 years now, and i thought i startet to get the hang of it. However recently i have had network issues because of my router / network line being bogged down by ntp requests. This is very much out of my knowledge zone so i need to ask here for help. My Isp has been getting notices from NORCert ( Norwegian Computer Emergency Response Team ) who try to prevent malicious internet activity.

 

To give some context to why i think this is ntp traffic i will share an email from my isp (this is translated using google translate from norwegian to english).:

Hello.

The following mail comes from NorCERT periodically.

Can you take a check on this?

See attachment and under.

----------------------------------------------

 

 

----- BEGIN PGP signed MESSAGE -----

Hash: SHA1

NorCERT has received a report regarding clients in their networks. We want to make you aware that these reports come from a third party, and we recommend that you as far as possible by trying this information, as reports may contain false positives.

Data in the attachment are in most cases all the details we possess, but we can help if something should be unclear. The attachment to this email in CSV format, with a header that contains the column names.

Each row represents a reported IP, and the same IP may appear several times in the report, with different timestamp. Unless otherwise stated, the timestamp given in UTC.

Amplification / openresolvers:

This notification contains the addresses of services that communicate over UDP and can be easily used for DDOS attacks through UDP reinforcement.

Because the return address on UDP packets can be forged, a large proportion of the traffic in DDoS attacks from services like those in this notice.

The common denominator for these services is that they deliver many times the amount of data used on the requests, which are used to reinforce the attack. Examples of these are open DNS resolvers, machinery that responds to the NTP Monitor command, charge and qotd services.

More detailed information can be found on the websites of the US-CERT:

http://www.us-cert.gov/ncas/alerts/TA13-088A

You may find the services are supposed to be available from the internal network, but in those cases we notify reply also on external requests.

These services can be checked from remote IP addresses with these

commands:

 

dns/openresolver: dig +short test.openresolver.com TXT @[ip]

ntp-monitor:      ntpdc -n -c monlist [ip]

ntp-version:      ntpq -c rv [ip]

chargen:          nc -u [ip] 19, then <enter>

NetBIOS:          nbtstat -A [ip]

qotd:             nc -u [ip] 17, then <enter>

snmp:             snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.1.0

                   If you get a reply then,

                   snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.5.0

 

Be aware that people the IP as notified is the one who gave a response to an inquiry.

If a machine has a public interface that accepts requests, but has a default route through another machine / gateway, so the answer to forespørelen come from the gateway, and it is the gateway that is included in the notification.

----- BEGIN PGP SIGNATURE -----

Version: GnuPG v1

iQIcBAEBAgAGBQJcGduiAAoJEOGQvmlqN87kJf4QAMOdDCzLAhzpjPTmv4KFy7rl

7PcGDhgLncHDiQEcpK + t0YHOGhVHLVEXn0i839p99CjXojs / wn / m13 / Ua5itWl8l

idyNIvB9n / MR9T57I7vCgNMOZJ3OlEiUnvdKWujD3RXjnyxKVa8KOFL / s2i + hr5i

HeBz4CsQWY42j6tSSIn2N6vWFwlMWNjxd3KznhBWBnZglrErHopW8NYpRR85M7MF

2dgnyubMQSZUVw2Bzm1ngArPKJuLiGkKbXJEcCEJcNpOnBVweh9nkek0 + 29kVBSv

9wAPNQhYpe7BceiUC / v6QzDIXQ853Zsyr1BuG774Rz4WPtCYgHexS / TIaCy2zzde

de2i3R289tW1gO8GgRgt + BAO3ZDjaOLUZsOAWeDmPjbRGH6EJtyvSBmsVrYPvOo2

MRrr7ABZAogDkiiBT66VRanlp2zRHJZuqJt1gFMPrEIdKQMmeF67q6tSUDWhO5H4

JOAD8TcotUCKqjZtw3w07tgWfpjsqWQ43tRUZeVFTmhVXiwrjm5yMKcaA9LOVwpA

nql6HYYWmZUKMRDvk0E / G + Y82gq0Phb7bPaMKV6yOSYWDB3ZdESLZW // 6F + vP9O7

2WBzfp7 + DfyvazsKgBvDlnpYwkLMbAlPbQQt + tESkMbIoiwa4858bXyH4MpE9qBK

5KYIKdToJHxPFhTM3veE

= VyCa

----- END PGP SIGNATURE -----
"

This is what is written in the attachement.

category,"timestamp","src_ip","src_asn","src_port","src_host","dst_ip","dst_asn","dst_port","dst_host","comment"
amplification-ntp-monitor,"2018-12-18 07:11:27","xxx.xxx.xxx.xxx",52157,123,"xxx.xxx.xxx.xxx","0.0.0.0",0,0,"","[packets]:2 :664"

 

----------------------------------------------

 

As far as i can understand there is traffic from port 123 which is used for ntp. I have been in contact with my isp over these issues, but we cant make any sense of it.

 

I dont have an ports opened to my unraid server. Telnet has been disabled aswell as unpnp. The only dockers i am running are Pihole and Darkstat.

 

When i got this email in december i tried to reinstall unraid completely in case there was some malicious software on the server itself, but this did not help.

 

Yesterday i got very high ping ingame, and i also had between 1000-2000 ping to my router internally. So i shut down the unraid box and unplugged it from the network. This fixed the ping issue. I have attached a picture provided by my isp which shows the ping from them to my router. I unplugged the unraid box around 6pm (I replugged the unraid box 4am).

Today i also tried blocking port 123 udp in iptables, but i have yet to see if it had any effect.

PRTG 03.03.19.png

Edited by Sundur
translation errors

Share this post


Link to post

Any response would just be speculation at this point. If you upload your diagnostics someone might have some ideas (Tools -> Diagnostics, then attach entire zip file to your next post)

Share this post


Link to post

Also it would be helpful to explain your set up.

 

Usually your first line of defence is your router. It should stop malicious traffic to enter your local network where your server is located.

Many people make the mistake to place their server in the DMZ of their router, but basically this exposes the server unrestricted to the Internet. Don't do that!

 

Blocking ports on the server is a second line of defence and mainly to stop "inside" attacks.

 

Share this post


Link to post
On 3/10/2019 at 1:30 AM, ljm42 said:

Any response would just be speculation at this point. If you upload your diagnostics someone might have some ideas (Tools -> Diagnostics, then attach entire zip file to your next post)

If i see more of the high latency then i will upload the diagnostics zip file. The server was rebooted after the udp port was blocked in iptables, and the issue has not appeared since.

 

On 3/11/2019 at 2:11 PM, bonienl said:

Also it would be helpful to explain your set up.

 

I have the unraid server set up only as a nas with smb shares for plex.

I also have a windows pc which runs Plex and Teamspeak. The plex server on the windows pc uses the shares on the unraid box as storage.

The windows pc is the only think that has ports forwarded.

 

The computer and nas box are connected over ethernet through a linksys switch, and the switch is connected to the router.

 

 

I think blocking the port in iptables solved my problem. Thank you for the replies though!

if i see more of this issue i wil post again.

 

Share this post


Link to post

It sounds to me, like your router may be the problem.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.