Create an account on the HP Community to personalize your profile and ask a question
01-20-2016 02:42 PM
Our Networking Department received an emaill that stated:
"A public NTP server on your network, running on IP address [omitted] and UDP port 123, participated in a very large-scale attack against a customer of ours, generating UDP responses to spoofed "monlist" requests that claimed to be from the attack target.
The IP address is assigned to the RMX Shelf Management.
The email also included the following suggestions:
Please consider reconfiguring this NTP server in one or more of these ways:
- If you run ntpd, upgrading to the latest version, which removes the "monlist" command that is used for these attacks; alternately, disabling the monitoring function by adding "disable monitor" to your /etc/ntp.conf file.
- Setting the NTP installation to act as a client only. With ntpd, that can be done with "restrict default ignore" in /etc/ntp.conf; other daemons should have a similar configuration option. More information on configuring different devices can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html.
Our RMX is not behind a firewall, so we can't make any adjustment there.
Any advice on how I can resolve the "exploit"? Does the RMX have an NTP server that can be configured?
02-08-2016 09:46 AM
Hi Mike - thanks for the reply.
MCU Version is: 126.96.36.199
We do have a maintance agreement for the RMX, so I placed a support call and created ticket. A suggested quick fix was to unplug the cable from the ShMG (Shelf Mangement) port from the back of the RMX. Apparently ShMG is only needed for diagnositics and hardware monitoring. There was no cable in that port, but we were still able to ping the IP address that is assigned to the RMX Shelf Management. Within RMX Manager, I changed the IP address for Shelf Management to 0.0.0.0. I can no longer ping the address and our ISP monitors have indicated the UDP reponses and spoffed requests have stopped. For now, I think the problem has been resolved shortterm. Long term, we've been told that installing a Video Board Proxy (VBP) may give us more protection from future attacks.
On another note, I'm considering upgrading our RMX 2000 to the latest software version this summer. I'm hesistant because we'll also have to upgrade our RSS 4000 and CMA 4000, but our CMA is EOL. Besides this rogue NTP attack, our video conferencing has been fairly reliable for years, and I'd hate for the upgrade to break something.