Theme

Welcome · log in · join

Forums → US ISPs cable →

Comcast XFINITY → [Connectivity] Re: Why is Comcast blocking all NTP Time servers?

uniqs
23

« [Signals] Comcast Replaced Line between Peds, Signal Level Changed, but... • [Signals] What causes signal levels to vary so much? »

This is a sub-selection from [Connectivity] Why is Comcast blocking all NTP Time servers?

biomesh Premium Member join:2006-07-08 Tomball, TX	biomesh to pitpro Premium Member 2014-Mar-11 10:21 pm to pitpro [Connectivity] Re: Why is Comcast blocking all NTP Time servers? You should really use one of the NTP pool DNS names. Only one NTP server on your list is truly an open access NTP server with no restrictions. I know it doesn't help your problem unless the pool addresses do work.
	· actions · 2014-Mar-11 10:21 pm ·
jlivingood Premium Member join:2007-10-28 Philadelphia, PA	jlivingood Premium Member 2014-Mar-12 8:29 am said by biomesh: You should really use one of the NTP pool DNS names. Only one NTP server on your list is truly an open access NTP server with no restrictions. I know it doesn't help your problem unless the pool addresses do work. That may help. Also I expect many NTP servers are applying more access controls due to the increase in massive new NTP attacks like this 400G+ attack a few weeks ago: »blog.cloudflare.com/tech ··· s-attack
	· actions · 2014-Mar-12 8:29 am ·
davidc502 join:2002-03-06 Mount Juliet, TN	davidc502 Member 2014-Mar-12 9:09 am said by jlivingood: increase in massive new NTP attacks jlivingood is correct... There's been an exploit for NTP that allows hackers to spoof a victims IP addresses and use the "monlist" command to have an NTP server send large amounts of data to the victim. The fix for the DDOS attack on NTP servers has been to Upgrade NTP servers to version 4.2.7 or later. This will remove the "monlist" command entirely. If the NTP server can not be upgraded then the next step would be to add "disable monitoring" to the ntp.conf file and restart the NTP service. Lastly NTP administrators are recommended to implement firewall rules that restrict traffic to the NTP server from unauthorized sources. The above changes have been a nation-wide attempt secure NTP. So, I'm thinking the OP may have been shut down by the recent NTP changes. Essentially it may be up to the OP to get "white listed" if NTP is mission critical. Not that another NTP server couldn't be found (one that accepts requests as configured). David
	· actions · 2014-Mar-12 9:09 am ·
train_wreck slow this bird down join:2013-10-04 Antioch, TN Cisco ASA 5506 Cisco DPC3939	train_wreck to jlivingood Member 2014-Mar-12 10:04 am to jlivingood said by jlivingood: That may help. Also I expect many NTP servers are applying more access controls due to the increase in massive new NTP attacks like this 400G+ attack a few weeks ago: »blog.cloudflare.com/tech ··· s-attack yeah that one was quite a doozie
	· actions · 2014-Mar-12 10:04 am ·
pitpro join:2003-12-31 Winnetka, IL	pitpro Member 2014-Mar-12 4:51 pm I just got home from work. Someone is listening because magically, they all work now except tick.uh.edu, and that one I don't think I had used in a while anyway. And the tracerts are now clean. It was frustrating that responders were ignoring the fact I have 2 ISP connections here for redundancy and the AT&T line exhibited no problems with NTP. Thanks to all that posted the helpful info on the NTP attacks and such. It got someone's attention. Hopefully no more problems. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\>tracert navobs1.wustl.edu Tracing route to navobs1.wustl.edu [128.252.19.1] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 192.168.0.1 2 9 ms 9 ms 9 ms 69.243.144.1 3 9 ms 9 ms 9 ms te-0-7-0-12-sur04.mortongrove.il.chicago.comcast .net [69.139.233.237] 4 18 ms 12 ms 11 ms te-2-2-0-1-ar01.area4.il.chicago.comcast.net [68 .86.189.1] 5 14 ms 15 ms 11 ms he-3-8-0-0-cr01.350ecermak.il.ibone.comcast.net [68.86.90.49] 6 11 ms 11 ms 12 ms he-0-11-0-1-pe04.350ecermak.il.ibone.comcast.net [68.86.83.62] 7 12 ms 11 ms 14 ms 23.30.206.134 8 13 ms 14 ms 11 ms be2003.ccr22.ord01.atlas.cogentco.com [154.54.29 .21] 9 177 ms 214 ms 208 ms te7-2.ccr01.stl03.atlas.cogentco.com [154.54.2.2 17] 10 18 ms 18 ms 18 ms 38.104.162.78 11 18 ms 18 ms 19 ms eth7-2-eps-core.nts.wustl.edu [128.252.100.125] 12 20 ms 19 ms 20 ms eng-epscore-p2p.nts.wustl.edu [128.252.1.50] 13 19 ms 19 ms 18 ms navobs1.wustl.edu [128.252.19.1] Trace complete.
	· actions · 2014-Mar-12 4:51 pm ·
tshirt Premium Member join:2004-07-11 Snohomish, WA	tshirt Premium Member 2014-Mar-12 10:46 pm said by pitpro: the AT&T line More the AT&T line passed you onto whoever was there' while the Comcast DNSSEC recognize an unresolved security warning. If you are going to continue to use XP, recognize it has a lot of unpatchable holes and will let you do all sorts of risky things.
	· actions · 2014-Mar-12 10:46 pm ·
scaredpoet join:2001-03-26 Monmouth Junction, NJ	scaredpoet Member 2014-Mar-13 12:14 am said by tshirt: If you are going to continue to use XP, recognize it has a lot of unpatchable holes and will let you do all sorts of risky things. Second this. Microsoft is ending support for Windows XP next month. »windows.microsoft.com/en ··· ort-help It's a 12 year old operating system, and it's absolutely time to upgrade to something less vintage. If not, you are potentially setting yourself for much bigger problems than not being bale to reach your ntp server of choice.
	· actions · 2014-Mar-13 12:14 am ·
camper just visiting this planet Premium Member join:2010-03-21 Bethel, CT	camper to jlivingood Premium Member 2014-Mar-13 12:06 pm to jlivingood said by jlivingood: the increase in massive new NTP attacks High-bandwidth NTP amplification DDoS attacks escalate In just one month (February 2014 vs. January 2014): - The number of NTP amplification attacks increased 371.43 percent - Average peak DDoS attack bandwidth increased 217.97 percent - The average peak DDoS attack volume increased 807.48 percent.
	· actions · 2014-Mar-13 12:06 pm ·
davidc502 join:2002-03-06 Mount Juliet, TN	davidc502 Member 2014-Mar-13 12:12 pm This is why NTP admins should upgrade to 4.2.7 asap. If not, then make configuration changes to close the doors.
	· actions · 2014-Mar-13 12:12 pm ·
train_wreck slow this bird down join:2013-10-04 Antioch, TN Cisco ASA 5506 Cisco DPC3939	train_wreck Member 2014-Mar-13 12:15 pm said by davidc502: This is why NTP admins should upgrade to 4.2.7 asap. If not, then make configuration changes to close the doors. yep, or optionally just disable the utterly insane MONLIST/monitoring capabilities in their current servers.
	· actions · 2014-Mar-13 12:15 pm ·

Forums → US ISPs cable → Comcast XFINITY	« [Signals] Comcast Replaced Line between Peds, Signal Level Changed, but... • [Signals] What causes signal levels to vary so much? »
This is a sub-selection from [Connectivity] Why is Comcast blocking all NTP Time servers?