Resolved: Misuse of NL NTP Pool Servers (nl.pool.ntp.org) by misconfigured Devolo 650 powerline adaptors sold by KPN (NL)

All IPv4 servers of the nl.pool.ntp.org were seeing many requests traffic on port 37/udp (TIME protocol) instead of port 123/udp (NTP protocol). The number of requests on port 37/udp was even larger than the normal port 123/udp requests to the ntp server. The requests to port 37/udp are normally dropped by the firewall. Out of curiosity an investigation was started into “who is sending a time related request to the wrong port?”. This showed that most (> 99%) affected IP addresses were customer ip addresses of Dutch Internet Provider KPN. Most affected IP addresses (> 90%) would send a request to port 37/udp every 16 seconds. Some did every 8 seconds. Some even more.

This issue was reported to KPN late july 2019. KPN Abuse Team and KPN CERT Team identified the problem within two weeks after the first report to be misconfigured Devolo 650 powerline adaptors. The “problem” is thought to have been arround many years, but it had never been detected before. KPN has 4 own stratum 1 NTP Time Servers to handle the time requests of their customers and their devices, so there was no need to use pool servers. The Devolo 650 powerline adaptors were updated remotely, but need to be rebooted before they use the new corrected settings. One week after the new configuration was pushed to the power adaptors the wrongfull requests have dropped by 20%. The rest is believed to disappear in the upcoming weeks after the devices are rebooted.

The NL NTP Pool server admins thank KPN for the swift identification and resolution of this “non-problem”.

3 Likes

Hahahaha, not the first time KPN makes huge mistakes.
They also sold PLC’s without ham-band-notches causing a lot of problems for radio-amateurs on the HF bands.