The NTP is one of those very useful and often ignored internet services that lets you keep the clocks of all your machines in sync. Synchronized clocks make log analysis much more straightforward, so a good clock is essential for security services.
Anyway, back to the story. It turned out that the suspect requests were all using an old and deprecated version of the protocol. And there were a lot of them: more than three million connections from over 250,000 different machines. Smelling a rat, the operator decided to investigate further.
After a bit of detective work, he discovered that most, if not all, of the requests were coming from a particular model of wireless router used by home users and small businesses. In its default configuration, the router had the Denmark NTP server as one of its list of servers to contact.
Unfortunately the router's software broke several rules. First, it should not have been set to contact a so-called "Stratum 1" NTP server, which is reserved for larger networks. Second, to make matters worse, it made no attempt to cache the DNS lookups, so like an impatient child on a long drive it kept asking the same question over and over. Finally, and perhaps daftest of all, it attempted to synchronise the time every 30 seconds.
Of course the owners of the offending routers were none the wiser. As can be seen by the large number of unprotected wireless networks still around, Joe Public will usually not change default settings (nor should he have to, if the product has been sensibly configured). In effect, the routers were acting as a dumb, but large-scale denial-of-service attack. This is all rather frustrating, as a brief review of the relevant specifications will quickly identify the polite way of using services such as NTP.
This case shows once again why monitoring what is going out of your network is as important as knowing what's coming in. Unfortunately, many small business firewalls come pre-configured to assume that anything inside the wall is trustworthy, and allow anything to go out. This is a bit like setting up your plumbing to flush into the street.
A sensible security policy that limits outgoing connections to appropriate systems will prevent you from falling foul of badly configured hardware. There are enough intentional vandals on the internet, the last thing we need is accidental ones as well.
