Receiving an NTP Monlist Vunlnerability Alert


You may have recently received a letter and/or email from Virgin Media explaining that we have been notified that a device on your network has a vulnerability known as a Network Time Protocol Monlist vulnerability (NTP Monlist). If you have received such a communication from us, please follow the advice given on this page to resolve the issue.

Overview

There exists a design flaw in NTP servers that can allow attackers to perform Distributed Denial of Service (DDoS) attacks against target machines. A remote attacker can leverage this flaw by sending a specially crafted request to an affected NTP server.

What has happened?

We work with a number of not-for-profit organisations across the banking industry and security sectors that collate information on devices across the Internet that appear to be compromised or misconfigured. This means that your compromised or misconfigured device is publicly accessible on the Internet, and therefore the scanning that is performed by these organisations is not within your private network.

We suspect a device connected to your home network may have an NTP monlist vulnerability.

For more information on these reports please visit ntpmonitorscan.shadowserver.org *

If the settings are left open they can be exploited to unwittingly participate in malicious activities, for example a Distributed Denial of Service (DDoS) attack.

It is therefore important that you follow the advice in this article. **


What can I do about it?

You can run the following command to check your server for the NTP Mode 6 & open NTP monlist vulnerabilities: 

ntpq -c rv [IP]

If you see a response, your server may be used in attacks.

Once you have identified the source of any issue within your home, you should upgrade to NTP-4.2.7p26 or later.

To resolve this vulnerability we would request that you check your router settings and all of your devices to ensure that TCP/UDP port 123 (NTP) is closed. The precise method for doing this will depend upon your make, model and operating system of your device

The easiest way to deal with the NTP vulnerability is to configure your firewall to block port 123.

It is worth noting that blocking this port will only stop traffic over that port leaving or entering your home network. Services within your home that use port 123 should continue to work as normal.

 

You can block NTP traffic yourself by following the instructions below:

• Configure your router firewall to block UDP port 123

• Disable NTP over TCP/IP on any remotely accessible devices
 

To configure port blocking on the Virgin Media SuperHub/2/2AC:

1. Log into the Settings page of the SuperHub. For details how to do this see Configure Advanced Settings on your Virgin Media Hub

2. Select Advanced Settings

3. Select Firewall

4. Ensure the Firewall is ticked and Firewall Protection is set to Medium

Alternatively:

To ensure port 123 is closed on the Super Hub 1 or 2’s firewall:

1. Access your Hub's configuration page - default web address: 192.168.0.1

2. Login with your username and password, default will be shown on the Hub itself

3. Select Advanced Settings and accept the prompt

4. Scroll down to the Security section

5. Select the Port Forwarding option

6. Tick the Delete box next to any rules that will keep port 123 open

7. Click the Apply option

8. Select the Port Triggering option

9. Tick the Delete box next to any rules that will keep port 123 open

10. Click the Apply option
 

Hub 3.0

To close the vulnerable port(s) on the Virgin Media Hub 3.0:

1. Access your Hub's configuration page - default web address: 192.168.0.1

2. Login with your username and password, default will be shown on the Hub itself

3. Select Security on the left side of the page

4. Select the Port Forwarding option

5. Remove any rules that will keep port 123 open

6. Select the Port Triggering option

7. Remove any rules that will keep port 123 open
 

3rd party routers

If you use a 3rd party router in conjunction with the Virgin Media Super Hub or Hub 3.0, your router's firewall will need to be configured to ensure port 123 is not accessible outside of your local network - this can be performed by blocking the port or removing any Port Forwarding rules for port 123. In order to identify how to do this with your particular router, refer to the documentation for your device or refer to the manufacturer's website
 

Demilitarized Zone (DMZ)

Most firewalls, including the one provided with the Virgin Media Superhub and Hub 3.0 include a DMZ option. This feature allows for a device using a specific local IP address on your home network (e.g. 192.168.0.2) to bypass your Firewall settings. This is occasionally necessary if you are using a device that has its own firewall configured. If you have a device configured in your firewall's DMZ that does not use its own firewall, it is crucial that you disable this option immediately. Computers operating without a firewall are extremely vulnerable to attack as all ports are essentially exposed to the wider Internet.

To check if a device is configured in the DMZ on your Virgin Media Superhub 1 or 2:

• Access your Hub's configuration page - default web address: 192.168.0.1

• Login with your username and password, default will be shown on the Hub itself

• Select Advanced Settings

• Select DMZ

• To remove a device from the DMZ, uncheck the tick box at the top of the page

To check if a device is configured in the DMZ on your Virgin Media Hub 3.0:

• Access your Hub's configuration page - default web address: 192.168.0.1

• Login with your username and password, default will be shown on the Hub itself

• Select 'Security' on the left side of the page

• Select the 'DMZ' option

• To remove a device from the DMZ, tick the 'Disable' box

Where can I find further information and advice?

If you’d like further advice then our forum community will be happy to help. Just visit virginmedia.com/community and join the conversation on our Security Matters board.

You can find general security advice and articles on other vulnerabilities by checking Security Hub at virginmedia.com/securityhub


*These links to external sites are provided as a courtesy and we are not responsible for the content of these sites or any problems encountered whilst applying these steps and we are not able to provide any technical support for such problems.

** These fixes are provided as a courtesy and we are not responsible for any problems encountered whilst applying these steps and we are not able to provide any technical support for such problems.

 


Need more help


    Ask our community

  • Helpful, friendly forums
  • Packed with tips and advice
  • Staffed by Virgin Media

   


    Contact us

  • Get in touch with our friendly team
  • Waiting times may vary
  • Free from Virgin Media phones or mobile