Page 1 of 1

ISP abuse notice

Posted: Fri Jan 20, 2017 10:13 pm
by miken2av
The ISP for our stake center has sent me an email. I checked the headers and it seems legit though I haven't called them and I haven't called LDS Global Help desk. the message:

"Issue Description – A device on your network is capable of a network-impacting, distributed denial-of-service (DDoS) attack due to a flaw in the Network Time Protocol (NTP) on the device. Various commands in older versions of NTP can be easily exploited for malicious intent. "

it goes on to list the evidence:
Issue Description: NTP (Port 123) Vulnerability
Vulnerable Port: 123
Vulnerable IP Address:
Timestamp: 2017-01-15 04:06:33 GMT

It includes the IP address of our connection to our ISP that I verified. we do have a static address.

The email gives instructions on updating NTP protocol on our server. We aren't running any servers. Just windows 7 and 10 workstations.

I wouldn't think that the ISP could even see anything on our network with the Church Cisco Firewall in place. Could it be the firewall?

Another strange thing is the email sent to me was copied to a person (@xilec.com) at a company located in draper UT (I am in Alabama)

any ideas? seems like the higher tiers of support from the church are usually only available m-f 9 to 5 so may just wait to call until Monday.

Thanks
Michael STS

Re: ISP abuse notice

Posted: Fri Jan 20, 2017 10:56 pm
by russellhltn
Try this: While on your church network, navigate to grc.com. Click on "ShieldsUp!" on the first two screens. Then "Proceed". Type in "123" and click "User Specified Custom Port Probe". I'd expect you to get "stealth".

Re: ISP abuse notice

Posted: Fri Jan 20, 2017 11:08 pm
by miken2av
I did get Stealth as the result.

Also found out that xilec is a company that handles some billing for the church so they are on the account.

Re: ISP abuse notice

Posted: Fri Jan 20, 2017 11:24 pm
by russellhltn
Wild speculation: might be what the ISP has noticed is that something on the network is using a old NTP protocol. It's not reachable from the outside, but if someone were to attack from within, then it could flood the internet. A quick Google shows a couple of people have received notices from Zen Internet.

Re: ISP abuse notice

Posted: Sat Jan 21, 2017 6:08 am
by miken2av
In talking to our Facilities Manager they have gotten several of the notices a;; from the same ISP. Charter / Spectrum. The other issue here is the "threat" they give if it isn't resolved:

"Please be advised that Spectrum’s Acceptable Use Policy (AUP) explicitly prohibit actions, whether intentional or unintentional, that disrupt Charter’s network. These policies are available on https://www.charter.net/page/terms-of-service-policies/ for your convenience.

Repeated events and/or complaints pertaining to this network abuse issue may result in an interruption of your service. "

Re: ISP abuse notice

Posted: Sat Jan 21, 2017 12:09 pm
by russellhltn
miken2av wrote:In talking to our Facilities Manager they have gotten several of the notices
Which makes me wonder - what devices does FM have connected to the network? They may be what's triggering the notice. Things like thermostats, sprinker timers, etcetera will likely make time requests and are notorious for not getting software updates. These things may pre-date the phrase "Internet of Things" (IoT), but that's what they are.

I can't rule out something on the router, but it would be something of a major cringe for the church's networking department to let them get that far out of date. However, when it comes to FM's devices ....

Note that insecure IoT devices are now a major concern to ISPs and the biggest threat to the Internet itself. 10 things to know about the October 21 IoT DDoS attacks. Unfortunately, many users and companies don't see a problem with their unsecure devices because "hey, it works".

Re: ISP abuse notice

Posted: Sun Jun 11, 2017 6:28 pm
by rknelson
miken2av wrote:Another strange thing is the email sent to me was copied to a person (@xilec.com) at a company located in draper UT (I am in Alabama)
Xilec is a contractor the church uses to pay ISP's. Supposedly they monitor the bills and look for better deals. In fact, I don't think they do anything except pay the bills. If you check the address you will find it is a residential address.