Still blocking ntp ports for outbound 123?

Hi @rbeede,

It does get blocked in both directions, but it is not always blocked. Depending on the sites, it may or may not get blocked. We apologize about any inconveniences this causes.

-ATTU-verseCare

Per the BroadBand policy:

AT&T blocks certain ports that transfer malicious or disruptive traffic to protect our customers and our network. Below is more information about port blocking that is currently in place. We may block additional ports in the future based upon threat assessments.

Port 0/TCP: Port 0 is a reserved port. This port should not be used for any applications. Blocking protects our customers from potentially harmful types of network abuses.

Port 19/UDP: Port 19 Chargen is a protocol designed to generate a stream of characters for debugging and measurement. Because more recent tools have been developed for measurement and debugging purposes, blocking protects against use of this port in Reflective DDOS attacks.

Port 25/TCP: Simple Mail Transport Protocol (SMTP) is used to send email. Port 25/TCP may be blocked from customers with dynamically-assigned Internet Protocol (IP) addresses to protect systems from becoming a mail relay for SPAM. Customers can subscribe to AT&T SMTP services if they need to host an SMTP server on the Internet.

Port 68/UDP: Port 68 is used to obtain dynamic IP address information from a dynamic host configuration protocol (DHCP) server. Port 68 may be blocked to eliminate the risk of exposure to a rogue DHCP server.

Port 123/UDP: Network Time Protocol (NTP) is used to accurately synchronize computer time of day to a reference time server. Some aspects of Port 123 may be limited to minimize malicious use. Poorly-configured NTP servers can be used for Reflective DDOS attacks, and some devices provide NTP service inadvertently, which exacerbates the port’s malicious use.

Port 135/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking protects customers from exposing files unintentionally, worms, and viruses.

Port 139/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking protects customers from exposing critical system files unintentionally, which could give system access to a malicious actor.

Port 445/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking mitigates a potential threat to certain operating systems. Similar to our blocking of Ports 135 and 139, blocking Port 445 protects customers from exposing files unintentionally, worms, and viruses.

Port 520/UDP: RIPv1 - UDP port 520 is used by the Routing Information Protocol (RIP) to share network routing information. RIPv1 was designed to support route information sharing on small classful (class A, B, C, D) networks and has limited usefulness in today’s classless networks. Port 520 has been used by malicious actors to generate Reflective DDOS attacks.

Port 1900/UDP: Universal Plug and Play (UPnP) is a protocol standard designed to allow device discovery over a local network. Some home routers may expose this port to the Internet, which could allow attackers to defeat the security attributes of Network Address Translation (NAT) and allow attackers to use the port for Reflective DDOS attacks.

Is there a way to unblock that port for a specific account?

Does AT&T provide any recommendations on how devices on a home network should synchronize their clocks if that port is blocked?

@mfcmfc,

The only one that I know that can be unblocked is 25. I will ask around to some contacts to see if any of the others is possible. But as of right now I would have to say no. If I learn differently then I will get back to you.

I would like inbound UDP 123 unblocked on a block of static IPv4 addresses we subscribe to, if possible.  Were you able to find out if unblocking UDP 123 is possible?

I called support this morning and managed to get UDP 123 unblocked. Mind you, it took 4 transfers and about 50 minutes to reach the right support group that could do this, but once I did, the agent did it quickly and efficiently, and happily all my machines are now time syncing. "Fiber support" was who ended up helping me.

Thankful for this thread to know that AT&T was originally blocking it! I wasn't sure if the problem was my NTP config, my router/firewall config, or AT&T.

Good luck!

Did did you get inbound or outbound requests unblocked?  I have a PBX running for a couple phones on other networks and their default configurations point to the PBX for time sync, so they need to access UDP 123 behind my router.  I would need it unblocked in both directions.