# Strange traffic on my FreeBSD server



## jonfr (Feb 8, 2014)

I have been seeing a lot of traffic on my mrtg monitoring. From what I can see this appears to be due to ntp server activity. I did recently move from ntp to openntp. According to the documentation openntp does not listen by default. I have not changed the default configure, at least I have not enabled any service intentionally. My FreeBSD 10.0 Release server is just used on my local LAN. It does not connect directly to the internet (besides DNS port 53 and ports for IPv6 tunnel connection and Minecraft port that is open).

When I run netstat. I get this.


```
netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 192.168.1.2.ssh        192.168.1.7.35822      ESTABLISHED
tcp4       0      0 192.168.1.2.http       192.168.1.7.48039      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.48038      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.48037      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.48036      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.48035      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.48030      TIME_WAIT
tcp4       0      0 192.168.1.2.10000      192.168.1.7.43830      CLOSED                                                                                          
tcp4       0      0 192.168.1.2.microsoft- 192.168.1.3.3880       ESTABLISHED                                                                                     
udp4       0      0 192.168.1.2.23438      80-71-132-103.u..ntp                                                                                                   
udp4       0      0 192.168.1.2.28885      23.0.126.96.dyna.ntp                                                                                                   
udp4       0      0 192.168.1.2.15818      94.231.110.37.ntp                                                                                                      
udp4       0      0 192.168.1.2.51990      web01.hemligt.ne.ntp                                                                                                   
udp4       0      0 192.168.1.2.48696      212.99.250.69.ntp                                                                                                      
udp6       0      0 jonfr500-1-pt.tu.16553 2001:1448:208:37.ntp                                                                                                   
udp4       0      0 192.168.1.2.40567      ntp.dvconsulting.ntp                                                                                                   
udp4       0      0 192.168.1.2.17497      87.104.211.8.ntp
```

The configure settings for openntp.


```
[...]

# Addresses to listen on (ntpd does not listen by default)
#listen on *

# sync to a single server
#server ntp.example.org

# use a random selection of NTP Pool Time Servers
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
servers pool.ntp.org
server 0.freebsd.pool.ntp.org
server 1.freebsd.pool.ntp.org
server 2.freebsd.pool.ntp.org
server 3.freebsd.pool.ntp.org
```

Here is an picture of the strange traffic that I am dealing with and I fail to properly locate the traffic source for this. There are just two computers that use the server at any given time. There is also minor DHCP traffic from mobile phones. But it is not at this hours.



Thanks for the help.


----------



## wblock@ (Feb 8, 2014)

Have you seen this? https://www.us-cert.gov/ncas/alerts/TA14-013A


----------



## jonfr (Feb 8, 2014)

I did know about this, but I did not think it was an issue since I had removed the blocked version of ntp from my system following the upgrade to FreeBSD 10.0 Release. I have moved to openntp (maybe that has the same issue?).

When I add the suggested configuration to openntp. I get this error when starting it.


```
service openntpd start
Starting openntpd.
/usr/local/etc/ntpd.conf:7: syntax error
/usr/local/etc/rc.d/openntpd: WARNING: failed to start openntpd
```

I am not sure what to do. Thanks for the help.


----------



## trh411 (Feb 8, 2014)

jonfr said:
			
		

> I did know about this, but I did not think it was an issue since I had removed the blocked version of ntp from my system following the upgrade to FreeBSD 10.0 Release. I have moved to openntp (maybe that has the same issue?).
> 
> When I add the suggested configuration to openntp. I get this error when starting it.
> 
> ...


Post the contents of /usr/local/etc/ntpd.conf. You have a syntax error, line 7.


----------



## jonfr (Feb 8, 2014)

This the configuration file. I have commented out the lines that where creating the issue.


```
# $FreeBSD: head/net/openntpd/files/ntpd.conf 340872 2014-01-24 00:14:07Z mat $
# sample ntpd configuration file, see ntpd.conf(5)

# Addresses to listen on (ntpd does not listen by default)
#listen on *

#restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery

# sync to a single server
#server ntp.example.org

# use a random selection of NTP Pool Time Servers
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
servers pool.ntp.org
server 0.freebsd.pool.ntp.org
server 1.freebsd.pool.ntp.org
server 2.freebsd.pool.ntp.org
server 3.freebsd.pool.ntp.org
```


----------



## kpa (Feb 8, 2014)

I don't see anything in your post that connects the excess traffic to the NTP connections, the NTP connections look normal to me. This is what I have on my firewall, I'm also using net/openntpd and I'm restricting the daemon to listen only on local interfaces:


```
firewall ~ % netstat -n -f inet -p udp
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
udp4       0      0 10.71.14.1.53          *.*                    
udp4       0      0 127.0.0.1.53           *.*                    
udp4       0      0 88.195.yy.xx.58562    83.150.82.37.123       
udp4       0      0 88.195.yy.xx.15434    193.28.89.56.123       
udp4       0      0 88.195.yy.xx.24197    62.237.86.234.123      
udp4       0      0 88.195.yy.xx.31918    83.150.121.194.123     
udp4       0      0 88.195.yy.xx.27491    80.69.172.80.123       
udp4       0      0 88.195.yy.xx.10155    212.116.33.167.123     
udp4       0      0 88.195.yy.xx.61558    194.100.2.198.123      
udp4       0      0 88.195.yy.xx.23116    94.237.64.20.123       
udp4       0      0 88.195.yy.xx.11580    213.28.138.38.123      
udp4       0      0 88.195.yy.xx.20527    62.237.86.238.123      
udp4       0      0 88.195.yy.xx.39948    194.100.206.70.123     
udp4       0      0 88.195.yy.xx.38206    194.100.2.194.123      
udp4       0      0 10.71.14.1.5351        *.*                    
udp4       0      0 10.71.14.1.15255       *.*                    
udp4       0      0 10.71.14.1.123         *.*                    
udp4       0      0 127.0.0.1.123          *.*
```


----------



## worldi (Feb 8, 2014)

jonfr said:
			
		

> I did recently move from ntp to openntp.



If your old ntpd was abused for DDoS attacks chances are your IP is still on someone's list.


----------



## jonfr (Feb 8, 2014)

For some reason I see that sendmail is started. The following is started when I start my FreeBSD 10.0 server.

sendmail_submit and sendmail_msp_queue. I don't run any email server on this computer and I don't plan to do so. I also don't have anything in rc.conf that enables sendmail to start at boot time.

Thanks for the help.


----------



## jonfr (Feb 8, 2014)

@kpa, My server computer is behind a firewall when it comes to IPv4 connections. I got everything blocked on it expect what I need to use. Hurricane Electric has told me that there have been some attack on the IPv4 server for my IPv6 tunnel. I don't think it should route to my server at all. Since they have locked it down (I was tracing a problem when they told me this in a email, the problem was not my IPv6 tunnel but Google IPv6 address not answering ping6).

Now when I run `netstat`. I get this output.


```
netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 192.168.1.2.http       192.168.1.7.54406      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.54405      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.54404      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.54374      TIME_WAIT
tcp4       0      0 192.168.1.2.http       192.168.1.7.54372      TIME_WAIT
tcp4       0      0 192.168.1.2.ssh        192.168.1.7.41167      ESTABLISHED
tcp4       0      0 192.168.1.2.netbios-ss 192.168.1.3.1869       ESTABLISHED
udp4       0      0 192.168.1.2.46347      n1.taur.dk.ntp         
udp4       0      0 192.168.1.2.62535      77.243.43.213.ntp      
udp4       0      0 192.168.1.2.57731      ip1.c174.alb335..ntp   
udp4       0      0 192.168.1.2.23822      web01.hemligt.ne.ntp   
udp4       0      0 192.168.1.2.29829      ntp.ngdc.net.ntp       
udp6       0      0 jonfr500-1-pt.tu.20410 2001:1448:208:37.ntp   
udp4       0      0 192.168.1.2.40138      freesbee.wheel.d.ntp   
udp4       0      0 192.168.1.2.22362      0126800067.1.ful.ntp
```

I still can't figure this out. Thanks for the help.


----------



## worldi (Feb 8, 2014)

jonfr said:
			
		

> sendmail_submit and sendmail_msp_queue.



These are enabled by default to handle mails sent by the periodic() scripts:


```
% egrep "(queue|submit)_enable" /etc/defaults/rc.conf                                                   
sendmail_submit_enable="YES"    # Start a localhost-only MTA for mail submission
sendmail_msp_queue_enable="YES" # Dequeue stuck clientmqueue mail (YES/NO).
```

It's nothing to worry about.


----------



## jonfr (Feb 12, 2014)

This strange traffic has started again. I have suspicion that it is connected to ntp service. Even if I have moved to openntp from ntp few days ago. The traffic stopped yesterday around 20:00 UTC and started again today around 06:00 UTC.


----------



## worldi (Feb 12, 2014)

As I've mentioned earlier, you're probably still listed as vulnerable somewhere. I'd close port 123/UDP.

BTW, it looks like Cloudflare is using their Plan B to mitigate the attacks...


----------



## jonfr (Feb 12, 2014)

I don't have this port open on my router for IPv4 connections. It is open for IPv6 connection but I am not seeing any traffic outside normal on that connection. But this is clearly some type of an attack on my server from the looks of it.


----------

