[Shorewall-users] NTP attack?

Øyvind Lode Tue, 02 Jul 2013 01:07:04 -0700

Hi all:

I'm running a public ntp server (member of the ntp.org pool) behind my 
Shorewall box.


The ntp server is up and running and I see on my status page on ntp.org that 
all is well with my ntp server.

However a few hosts are filling my firewall logs with packets that looks to be 
ntp packets.

Proto=udp and dpt=123.

But shorewall is dropping these packets but allowing regular ntp since I have a 
rule allowing ntp (DNAT to an internal machine).

The log entries looks like this:

####################

Jul  2 09:01:04 munin Shorewall:net2fw:DROP: IN=eth0 OUT= MAC=48:5b:39:ac:1b:5e:
00:12:da:a4:14:bf:08:00 SRC=62.92.61.52 DST=x.x.x.x LEN=76 TOS=00 PREC=0x00
TTL=53 ID=30170 PROTO=UDP SPT=455 DPT=123 LEN=56 MARK=0
Jul  2 09:01:07 munin Shorewall:net2fw:DROP: IN=eth0 OUT= MAC=48:5b:39:ac:1b:5e:
00:12:da:a4:14:bf:08:00 SRC=62.92.61.52 DST=x.x.x.x LEN=76 TOS=00 PREC=0x00
TTL=53 ID=30171 PROTO=UDP SPT=455 DPT=123 LEN=56 MARK=0
Jul  2 09:01:09 munin Shorewall:net2fw:DROP: IN=eth0 OUT= MAC=48:5b:39:ac:1b:5e:
00:12:da:a4:14:bf:08:00 SRC=62.92.61.52 DST=x.x.x.x LEN=76 TOS=00 PREC=0x00
TTL=53 ID=30172 PROTO=UDP SPT=455 DPT=123 LEN=56 MARK=0
Jul  2 09:01:12 munin Shorewall:net2fw:DROP: IN=eth0 OUT= MAC=48:5b:39:ac:1b:5e:
00:12:da:a4:14:bf:08:00 SRC=62.92.61.52 DST=x.x.x.x LEN=76 TOS=00 PREC=0x00
TTL=53 ID=30173 PROTO=UDP SPT=455 DPT=123 LEN=56 MARK=0
Jul  2 09:01:13 munin Shorewall:net2fw:DROP: IN=eth0 OUT= MAC=48:5b:39:ac:1b:5e:
00:12:da:a4:14:bf:08:00 SRC=62.92.61.52 DST=x.x.x.x LEN=76 TOS=00 PREC=0x00
TTL=53 ID=30174 PROTO=UDP SPT=455 DPT=123 LEN=56 MARK=0

####################

I removed DST IP since that is not relevant.

I hope that somebody on this list can explain what's going on.

Currently I'm dropping all traffic from this IP to prevent it from cluttering 
my log even more.

Thanks

- Øyvind

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] NTP attack?

Reply via email to