RMX 2000 - NTP server used for an attack - HP Support Community

Anonymous · ‎01-20-2016

Our Networking Department received an emaill that stated:

"A public NTP server on your network, running on IP address [omitted] and UDP port 123, participated in a very large-scale attack against a customer of ours, generating UDP responses to spoofed "monlist" requests that claimed to be from the attack target.

The IP address is assigned to the RMX Shelf Management.

The email also included the following suggestions:

Please consider reconfiguring this NTP server in one or more of these ways:

If you run ntpd, upgrading to the latest version, which removes the "monlist" command that is used for these attacks; alternately, disabling the monitoring function by adding "disable monitor" to your /etc/ntp.conf file.
Setting the NTP installation to act as a client only. With ntpd, that can be done with "restrict default ignore" in /etc/ntp.conf; other daemons should have a similar configuration option. More information on configuring different devices can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html.

Our RMX is not behind a firewall, so we can't make any adjustment there.

Any advice on how I can resolve the "exploit"? Does the RMX have an NTP server that can be configured?

Thanks,

CCC-ITV

MikeB39 · ‎02-08-2016

What version of software are you running on your RMX? I need all 4 digits as specified on the System Information page.

Anonymous · ‎02-08-2016

Hi Mike - thanks for the reply.

MCU Version is: 7.0.2.68

We do have a maintance agreement for the RMX, so I placed a support call and created ticket. A suggested quick fix was to unplug the cable from the ShMG (Shelf Mangement) port from the back of the RMX. Apparently ShMG is only needed for diagnositics and hardware monitoring. There was no cable in that port, but we were still able to ping the IP address that is assigned to the RMX Shelf Management. Within RMX Manager, I changed the IP address for Shelf Management to 0.0.0.0. I can no longer ping the address and our ISP monitors have indicated the UDP reponses and spoffed requests have stopped. For now, I think the problem has been resolved shortterm. Long term, we've been told that installing a Video Board Proxy (VBP) may give us more protection from future attacks.

On another note, I'm considering upgrading our RMX 2000 to the latest software version this summer. I'm hesistant because we'll also have to upgrade our RSS 4000 and CMA 4000, but our CMA is EOL. Besides this rogue NTP attack, our video conferencing has been fairly reliable for years, and I'd hate for the upgrade to break something.

MikeB39 · ‎02-08-2016

First off, setting the shelf IP address to 0.0.0.0 is not good. You really need to put that back the way it was.

Since you have an active service agreement the fix for your issue is to upgrade to version 7.8.0.246.182

RMX 2000 - NTP server used for an attack

Create an account on the HP Community to personalize your profile and ask a question