Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BT2700HGV - NTP UDP Flood

david_b
Member

on ‎03-03-2014 02:02 PM

Over the last week or two I have seen my internet connection maxed out on the incomming (downloading) side. Reboot's of the 2700HGV stop this but sometimes it can be a matter of a few hours or a few days and it will start again.

 

Further investigation into this showed it was a UDP flood from various IP's to the IP address of my router that sits behind the 2700HGV. The 2700HGV is set to block anything incomming and not forward anything on to the router behind it, could this mean the router has an exploit? or is in some way forwarding NTP traffic on even though it's set to block everything?

 

I have now set some firewall rules on my router (not the 2700HGV) as I don't trust it anymore, so far so good.

0 Kudos
4 REPLIES 4

Burkem5
Guru

on ‎04-03-2014 12:12 PM

Whats the make of firewall sitting behind the router David? 
Is it a Zyxel ?

0 Kudos

david_b
Member
In response to Burkem5

on ‎07-03-2014 02:11 PM

It's a Vyatta firewall.

0 Kudos

Burkem5
Guru
In response to david_b

on ‎11-03-2014 10:50 AM

its worth while changing the remote management port on the firewall from 80 to 81 or 82,  this should stop the flood if this is the same issue we have seen with Zyxel and a few others

 

Burkem5

0 Kudos

Steve_A
Member
In response to Burkem5

‎23-04-2014 08:46 AM - edited ‎23-04-2014 08:47 AM

@Burkem5 wrote:

its worth while changing the remote management port on the firewall from 80 to 81 or 82,  this should stop the flood if this is the same issue we have seen with Zyxel and a few others

 

Burkem5


Well that's a stupid answer.  The OP posted about npt - using post 123 a UDP part of the TCP/IP protocol and the forum administrator suggests moving the remote admin port from 80 (http) to 81 or 82 (TOR borwoser ports) - these are completely unrelated!

 

The ntp (Network Time Protocol) UDP flood you are seeing is part of a world wide Distributed Denial of Service.  It is used as the originator of the attack sends a small request having spoofed your IP address or domain name.  The response from the high bandwidth time server on the internet is bigger than the request.  It is called an ampification attack.

 

Your options are to live with it or ask BT to stop ntp up stream; noting that you will not able able to get internet time yourself for your servers.

 

Regards.  

 

Steve A

 

PS:  Burkem5 - please either provide a factual and related answer, or do not post; posting incorrect rubbish helps no one!

0 Kudos