NTP and Bittorrent traffic issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

NTP and Bittorrent traffic issue

L1 Bithead

Hello and sorry for my poor English.

I wrote this question/feedback before here, but no one wrote an answer. I decided to share it here as well.

 

We are a member of pool.ntp.org

Our time server url is ntp.cbu.edu.tr

Beginning May 19th problem appeared on our NTP service. We started getting a lot of bittorrent requests. Of course, requests were denied. However, pool.ntp.org started reporting that we were not responding to ntp requests.

We captured the packets that PaloAlto detected as bittorrent. When we examined the packages, we could not see anything other than ntp traffic.

As a result, we think that PaloAlto mistakenly detected ntp traffic as bittorrent traffic.

If you want to examine it, I'm putting a file here that the packages we capture.

 

Thank you.



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
1 accepted solution

Accepted Solutions

L1 Bithead

The problem to be fixed with App&Thread Update 8586. The release note says that false positive is fixed.

Thank you for your interest.

View solution in original post

11 REPLIES 11

Community Team Member

Hi @riza.emet ,

 

The Community Feedback area is dedicated to questions about the LIVEcommunity.

 

In order to get better traction for your question I've moved it to the VirusTotal discussions area. This area is moderated by the threat team to check signatures and verdicts.

 

Cheers,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

did you get any proper solution for this problem

No, we haven't found it yet. However, we have opened a case to PaloAlto Support for the issue. We're waiting.

L7 Applicator

Sorry but I don't believe this has anything to do with VirusTotal either. This forum is for non-customers. The Threat and Vulnerability forum may have been a better fit, however, posts in the LIVECommunity expect answers from other Palo Alto Networks customers. If you need a response from Palo Alto Networks Support, the correct avenue for help is filing a Support ticket.

What is your Security policy for the incoming NTP traffic to your server? Are you using Application="ntp" and Service="application-default" in your allow rule? Or are you using a Service="udp_123" or something similar?

We are using Application="ntp" and Service="application-default" in our allow rule.

Monitor show some udp-123 traffic "ntp", some udp-123 traffic "bittorrent". As expected bittorrent blocked but they are actually ntp. 

Seems like a false positive then. Looking thru my PaloAlto Apps and Threats release notes I don't see anything about bittorrent Application changes in the last year. I think you are going to have to get PaloAlto support to investigate/fix the false positive. If it is a serious problem for you, you could temporarily bypass the application filter and just allow UDP 123 in the mean time.

L7 Applicator

I replayed your PCAP to my lab. I see NTPv4 traffic detected as ntp-base, and NTPv1 traffic detected as ntp-non-rfc. I don't see any bittorrent traffic, but I am running 10.2.2, maybe your PAN-OS identifies it differently. Check the source ports of the sessions identified as bittorrent, and compare them to your packet capture to see if there is a correlation between NTPv1 and bittorrent, versus NTPv4 and correct identifification of ntp-base traffic. It is possible that your firewall is detecting ntp-non-rfc as bittorrent.

L7 Applicator

Also check if the misdetection began around March 15, 2022, that's when the change was pushed in Content. https://live.paloaltonetworks.com/t5/customer-resources/app-id-decoders-enhancement-plan/ta-p/469547

 

You can test adding ntp-non-rfc as an allowed app in your policy to see if it resolves the issue.

Thanks for answer. I will compare.

L1 Bithead

The problem to be fixed with App&Thread Update 8586. The release note says that false positive is fixed.

Thank you for your interest.

  • 1 accepted solution
  • 5077 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!