NTP gone wild?
For at least the last week, my Watchguard Firebox 700 has been reporting numerous traffic entries like the following:
04/12/07 14:23 firewalld[120]: deny in eth0 76 udp 20 43 194.236.42.95 [my ip address] 123 62267 [default]
I’m probably getting about 1 per second.
As best as I understand it, the IP 194.236.42.95 is requesting information on port 123 (commonly used for NTP). I’ve added a proxy service and set it to auto-block any IP that tries to connect on port 123. And yet the traffic entries remain (all are being denied). I wonder how much of my bandwidth is being used by these requests.
Is there anything more I could/should do? I heard a story of NTP problems before and I’m wondering if this is just another case of mis-configuration (http://en.wikipedia.org/wiki/NTP_vandalism#NETGEAR_and_the_University_of_Wisconsin).
Dave Stone @ April 12, 2007