Explore & discover

Helpful Links

Still blocking ntp ports for outbound 123?

Contributor

Still blocking ntp ports for outbound 123?

According to What practices has AT&T adopted to manage network security? the ntp protocol is blocked in "Both" outbound and inbound directions.

 

It appears that if I have a client on my home network it should be able to reach out to pool.ntp.org on port 123.

 

So should this document be updated to state blocked for "Inbound" only?

2,179 Views
Message 1 of 9
Administrator

Re: Still blocking ntp ports for outbound 123?

Hi @rbeede,

 

It does get blocked in both directions, but it is not always blocked. Depending on the sites, it may or may not get blocked. We apologize about any inconveniences this causes.

 

-ATTU-verseCare


Need help?
Ask a question to get help from the AT&T Community or support from AT&T specialists. If this reply helped you please use Accept solution to mark it as an Accepted Solution.
Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 2 of 9
Community Support

Re: Still blocking ntp ports for outbound 123?

Per the BroadBand policy:

AT&T blocks certain ports that transfer malicious or disruptive traffic to protect our customers and our network. Below is more information about port blocking that is currently in place. We may block additional ports in the future based upon threat assessments.

portblock.jpg

Port 0/TCP: Port 0 is a reserved port. This port should not be used for any applications. Blocking protects our customers from potentially harmful types of network abuses.

Port 19/UDP: Port 19 Chargen is a protocol designed to generate a stream of characters for debugging and measurement. Because more recent tools have been developed for measurement and debugging purposes, blocking protects against use of this port in Reflective DDOS attacks.

Port 25/TCP: Simple Mail Transport Protocol (SMTP) is used to send email. Port 25/TCP may be blocked from customers with dynamically-assigned Internet Protocol (IP) addresses to protect systems from becoming a mail relay for SPAM. Customers can subscribe to AT&T SMTP services if they need to host an SMTP server on the Internet.

Port 68/UDP: Port 68 is used to obtain dynamic IP address information from a dynamic host configuration protocol (DHCP) server. Port 68 may be blocked to eliminate the risk of exposure to a rogue DHCP server.

Port 123/UDP: Network Time Protocol (NTP) is used to accurately synchronize computer time of day to a reference time server. Some aspects of Port 123 may be limited to minimize malicious use. Poorly-configured NTP servers can be used for Reflective DDOS attacks, and some devices provide NTP service inadvertently, which exacerbates the port’s malicious use.

Port 135/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking protects customers from exposing files unintentionally, worms, and viruses.

Port 139/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking protects customers from exposing critical system files unintentionally, which could give system access to a malicious actor.

Port 445/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking mitigates a potential threat to certain operating systems. Similar to our blocking of Ports 135 and 139, blocking Port 445 protects customers from exposing files unintentionally, worms, and viruses.

Port 520/UDP: RIPv1 - UDP port 520 is used by the Routing Information Protocol (RIP) to share network routing information. RIPv1 was designed to support route information sharing on small classful (class A, B, C, D) networks and has limited usefulness in today’s classless networks. Port 520 has been used by malicious actors to generate Reflective DDOS attacks.

Port 1900/UDP: Universal Plug and Play (UPnP) is a protocol standard designed to allow device discovery over a local network. Some home routers may expose this port to the Internet, which could allow attackers to defeat the security attributes of Network Address Translation (NAT) and allow attackers to use the port for Reflective DDOS attacks.

AT&T Customer Care


Need help with an account specific question? Post a new question here on the forums by clicking the "Ask a Question" button. Have email issues? Contact the Digital Assistance Center at 877-267-2988 and you can also reach out to our Chat Support 24/7.

For additional support, please visit us at our AT&T services hub.

Follow us on: Twitter @ATTCares and @DIRECTVService

Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 3 of 9
Contributor

Re: Still blocking ntp ports for outbound 123?

Is there a way to unblock that port for a specific account?

Does AT&T provide any recommendations on how devices on a home network should synchronize their clocks if that port is blocked?

 

Message 4 of 9
Community Support

Re: Still blocking ntp ports for outbound 123?

@mfcmfc,

The only one that I know that can be unblocked is 25. I will ask around to some contacts to see if any of the others is possible. But as of right now I would have to say no. If I learn differently then I will get back to you.

AT&T Customer Care


Need help with an account specific question? Post a new question here on the forums by clicking the "Ask a Question" button. Have email issues? Contact the Digital Assistance Center at 877-267-2988 and you can also reach out to our Chat Support 24/7.

For additional support, please visit us at our AT&T services hub.

Follow us on: Twitter @ATTCares and @DIRECTVService

Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 5 of 9
Teacher

Re: Still blocking ntp ports for outbound 123?

I really need port 1900 unblocked. Is there any way I could get this done? Just on one of my devices
Message 6 of 9

Re: Still blocking ntp ports for outbound 123?

I would like inbound UDP 123 unblocked on a block of static IPv4 addresses we subscribe to, if possible.  Were you able to find out if unblocking UDP 123 is possible?

Message 7 of 9
Contributor

Re: Still blocking ntp ports for outbound 123?

I called support this morning and managed to get UDP 123 unblocked. Mind you, it took 4 transfers and about 50 minutes to reach the right support group that could do this, but once I did, the agent did it quickly and efficiently, and happily all my machines are now time syncing. "Fiber support" was who ended up helping me.

 

Thankful for this thread to know that AT&T was originally blocking it! I wasn't sure if the problem was my NTP config, my router/firewall config, or AT&T.

 

Good luck!

Message 8 of 9

Re: Still blocking ntp ports for outbound 123?

Did did you get inbound or outbound requests unblocked?  I have a PBX running for a couple phones on other networks and their default configurations point to the PBX for time sync, so they need to access UDP 123 behind my router.  I would need it unblocked in both directions.

Message 9 of 9
Share this topic
Share this topic
Additional Support