Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I get numerous requests to my (macOS) computer for ntpd to connect to shady subnets when I'm connected to a particular commercial VPN:

https://twitter.com/petecooper/status/911946604759977984

https://pbs.twimg.com/media/DKficrvW4AA1Hxm.jpg:large

Numerous hosts across numerous networks, perhaps two or three an hour.

I've wondered what exactly would be gained by resetting a clock to a different time – this is a useful article.



That sounds like

1. your VPN provider is giving you an actual public IP address (??)

2. people are scanning your computer for NTP vulnerabilities or something (this happens if you have a public IP, regardless of network)

3. NTP is using UDP and so connectionless, and so Little Snitch can't distinguish "ntpd wants to reply to someone who contacted it" from "ntpd wants to connect to someone"

An alternative explanation for 1/2 is that your VPN provider is not isolating you from other VPN users (less surprising than giving you your own public IP) and someone else on the VPN is trying to conduct NTP amplification attacks using you: https://blog.cloudflare.com/understanding-and-mitigating-ntp...

In either case, the solution is basically to make your ntpd not listen for requests from other machines and only handle time from your local computer + initiating requests to time.apple.com or whatever your chosen NTP server is. It shouldn't be trying to reply at all to unexpected packets, even to send a refusal message (again, because UDP is connectionless, it's easy for an attacker on your LAN to send spoofed packets and convince you to send replies to some random computer on the internet, and I guess on this VPN, other customers are your LAN). I'm surprised that macOS's default NTP server isn't configured this way out-of-the-box, though.


>An alternative explanation for 1/2 is that your VPN provider is not isolating you from other VPN users (less surprising than giving you your own public IP) and someone else on the VPN is trying to conduct NTP amplification attacks using you:

This, I think, is most likely.


It seems strange that the firewall would block the outbound packet after letting the udp packet from some completely random host in.


Little Snitch is not so much a firewall in the usual sense as a phone-home prevention device. It's primarily interested in blocking outbound traffic (exfiltration), not inbound traffic.


Which VPN provider are you talking about?

Are you sure that it is not just NTP servers being served via DHCP once the connection is established and your computer trying to use those provided by your VPN?


It's PureVPN.

I'm not 100% sure about any of the ntpd connection requests, they're not predictable in their appearance. Some sessions are very quiet (zero requests), others I get a bunch of incoming connection requests for smbd, and other odd things. I really should start taking notes rather than just deny the connections.


It looks like your VPN provider does not isolate traffic between clients connected to the same server. That is pretty bad, security vise.


That's what I'm thinking. Suffice to say after a bit more poking around today, I no longer use the service.


Leakage from other clients perhaps?


That's my gut feeling, yes.


What server is your NTP Daemon configured to use? pool.ntp.org?

That could just be different pool addresses coming up.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: