Best way to filter NTP port?

Hi,

I would like to ask you, if you give me a better idea on my issue.

On my network, I need to filter the NTP (port 123 udp) for all users. The aim is to avoid any possible attack (from them) but at the same time allowing good connections. Knowing that the number of SmartTV’s devices has recently increased in our network. I tried to create some basic rules.


\ip firewall filter
add action=add-src-to-address-list address-list=Block-NTP-attack address-list-timeout=30m chain=forward comment=“NTP Request” connection-limit=15,32 connection-state=new dst-port=123 limit=1,5:packet protocol=udp
add action=drop chain=forward comment= “Drop NTP Connections” dst-port=123 protocol=udp src-address-list=Block-NTP-attack


Can’t say if we are 100% successful with this. If you guys have any more efficient ideas, I would greatly appreciate it.


Thanks

What kind attack you are writing about? What do you want to limit?

Any possible kind of DoS attack that use this port, like UDP flood attack.

Just to be clear you are expecting users on your LAN to initiate attacks?

Do you want to limit flooding with NTP port but you do not care about flooding for DNS or SNMP or any other “well known” service?
What is the reason? Flooding is flooding no matter what target and how you flood.

Yes.

Is not that I don’t care about flooding for DNS or SNMP. Just asked for NTP, because with this I have some complaints from users that their TV devices fail to connect to NTP servers. So to be safe, I thought I would eliminate any potential problems that could be caused by this type of traffic. Maybe I’m wrong. That’s why I’m in this forum.

Regarding other stuff, I’ve created some basic rules against the well known services/ports. Drop all, allow exception.

Are you sure that TVs connect to proper NTP servers? Maybe they are set by default to access nonworking servers.
How users decide if TV connected to NTP or not? Are they allowed to reconfigure TVs’?
Maybe you should install your own local NTP server https://wiki.mikrotik.com/wiki/Setup_local_NTP_servers

Yes we have our own NTP server. But if I block all NTP traffic, and allow only through our NTP servers, many TVs, most of them Philips, fail to connect to the internet! The message they get is that the device is not syncing with Philips servers! Maybe their devices are configure on default, to connect only with their NTP servers. This must be seen.

Anyhow, my question is, if is it worth to filter NTP? It is not that I had any problems, but as a security measure.

Sa it’s time to track what servers Philps’s TV connects to to check if they have Internet connection and redirect all that traffic to you local resources.
It’s easy to make a rule which redirects NTP traffic headed to eg. ntp1.philips.com to you local resource. TV will even not know that is redirected.

Transparent NTP so they are invisibly forced to use yours?

Yes. I would say “convincing” a TV to believe that it connects to a server it wants to connect to.

Good idea!

Although it’s not very easy to track destination servers, because not all of them are Philips. I will try it anyway.

thanks

Make Philips’’ addresses static, syslog their traffic and find common targets of it. They all should try to connect to same servers.

You are doing it the hard way.
Block packets dst-port = 123 in-interface=WAN

You dont have to rate limit / drop all the ntp packets originating from LAN destined to WAN.

In-interface in your rule means traffic from “outside” to “inside” but he wants to block/limit traffic in the opposite direction.

I had a similar problem with a septic panel device that couldnt get an IP.
The problem is the device gave a domain name in capital letters (not adhering to standards).
The MT router modifed the domain name to lower case so upon return traffic, the device said hey I dont recognize that domain name and ignored the return traffic from the router.
Using 1.1.1.1 as a DNS source it worked because the lazy assed DNS provider just regurgitated the domain name verbatim so the device recognized the return traffic.

Wonder if something similar is happening with the phillips devices??