Resolved: Misuse of NL NTP Pool Servers (nl.pool.ntp.org) by misconfigured Devolo 650 powerline adaptors sold by KPN (NL)

All IPv4 servers of the nl.pool.ntp.org were seeing many requests traffic on port 37/udp (TIME protocol) instead of port 123/udp (NTP protocol). The number of requests on port 37/udp was even larger than the normal port 123/udp requests to the ntp server. The requests to port 37/udp are normally dropped by the firewall. Out of curiosity an investigation was started into “who is sending a time related request to the wrong port?”. This showed that most (> 99%) affected IP addresses were customer ip addresses of Dutch Internet Provider KPN. Most affected IP addresses (> 90%) would send a request to port 37/udp every 16 seconds. Some did every 8 seconds. Some even more.

This issue was reported to KPN late july 2019. KPN Abuse Team and KPN CERT Team identified the problem within two weeks after the first report to be misconfigured Devolo 650 powerline adaptors. The “problem” is thought to have been arround many years, but it had never been detected before. KPN has 4 own stratum 1 NTP Time Servers to handle the time requests of their customers and their devices, so there was no need to use pool servers. The Devolo 650 powerline adaptors were updated remotely, but need to be rebooted before they use the new corrected settings. One week after the new configuration was pushed to the power adaptors the wrongfull requests have dropped by 20%. The rest is believed to disappear in the upcoming weeks after the devices are rebooted.

The NL NTP Pool server admins thank KPN for the swift identification and resolution of this “non-problem”.

Hahahaha, not the first time KPN makes huge mistakes.
They also sold PLC’s without ham-band-notches causing a lot of problems for radio-amateurs on the HF bands.

That’s why this is happening…

(note: 100.100.100.250 is a substitute for my public IPv4)

Apr 21 20:32:38 block igb0 UDP 84.85.254.10:15654 100.100.100.250:37
Apr 21 20:32:38 block igb0 UDP 84.107.154.206:44707 100.100.100.250:37
Apr 21 20:32:38 block igb0 UDP 86.82.234.240:6578 100.100.100.250:37
Apr 21 20:32:42 block igb0 UDP 84.85.254.10:15654 100.100.100.250:37
Apr 21 20:32:42 block igb0 UDP 84.107.154.206:44707 100.100.100.250:37
Apr 21 20:32:42 block igb0 UDP 86.82.234.240:6578 100.100.100.250:37
Apr 21 20:32:42 block igb0 UDP 86.84.54.215:44609 100.100.100.250:37
Apr 21 20:32:43 block igb0 UDP 77.161.195.234:51727 100.100.100.250:37
Apr 21 20:32:46 block igb0 UDP 84.85.254.10:15654 100.100.100.250:37
Apr 21 20:32:46 block igb0 UDP 77.249.93.9:52164 100.100.100.250:37
Apr 21 20:32:46 block igb0 UDP 84.107.154.206:44707 100.100.100.250:37
Apr 21 20:32:46 block igb0 UDP 86.82.234.240:6578 100.100.100.250:37
Apr 21 20:32:47 block igb0 UDP 86.94.122.133:44588 100.100.100.250:37
Apr 21 20:32:50 block igb0 UDP 84.85.254.10:15654 100.100.100.250:37
Apr 21 20:32:50 block igb0 UDP 84.107.154.206:44707 100.100.100.250:37
Apr 21 20:32:50 block igb0 UDP 86.82.234.240:6578 100.100.100.250:37
Apr 21 20:32:54 block igb0 UDP 84.85.254.10:15654 100.100.100.250:37
Apr 21 20:32:54 block igb0 UDP 84.107.154.206:44707 100.100.100.250:37
Apr 21 20:32:55 block igb0 UDP 86.82.234.240:6578 100.100.100.250:37
Apr 21 20:32:55 block igb0 UDP 86.84.54.215:31496 100.100.100.250:37
Apr 21 20:32:55 block igb0 UDP 77.161.195.234:27542 100.100.100.250:37
Apr 21 20:32:58 block igb0 UDP 84.85.254.10:15654 100.100.100.250:37
Apr 21 20:32:59 block igb0 UDP 84.107.154.206:44707 100.100.100.250:37
Apr 21 20:32:59 block igb0 UDP 77.249.93.9:16006 100.100.100.250:37
Apr 21 20:32:59 block igb0 UDP 86.82.234.240:6578 100.100.100.250:37
Apr 21 20:32:59 block igb0 UDP 86.94.122.133:60926 100.100.100.250:37
Apr 21 20:33:03 block igb0 UDP 84.85.254.10:15654 100.100.100.250:37
Apr 21 20:33:03 block igb0 UDP 86.82.234.240:6578 100.100.100.250:37
Apr 21 20:33:03 block igb0 UDP 84.107.154.206:44707 100.100.100.250:37
Apr 21 20:33:08 block igb0 UDP 84.85.254.10:15654 100.100.100.250:37
Apr 21 20:33:08 block igb0 UDP 84.107.154.206:44707 100.100.100.250:37
Apr 21 20:33:08 block igb0 UDP 86.82.234.240:6578 100.100.100.250:37
Apr 21 20:33:09 block igb0 UDP 86.84.54.215:48186 100.100.100.250:37
Apr 21 20:33:09 block igb0 UDP 77.161.195.234:2231 100.100.100.250:37

Are we sure this is marked ‘Resolved’? Looking at hits on port 37/udp from 10 minutes of monitoring:

   15 kabeltex.nl
  16 cambrium.nl
  16 tele2.se
  16 xs4all.space
  17 upc.nl
  28 t-mobile.pl
  32 breedbandhelmond.nl
  46 zeelandnet.nl
  48 demon.nl
  48 vodafone-ip.de
  65 t-ipconnect.de
  66 scarlet.be
  96 chello.nl
 160 online.nl
 161 solcon.nl
 180 versatel.nl
 188 telfortglasvezel.nl
 285 caiway.nl
 308 prioritytelecom.net
 467 glasoperator.nl
 467 ziggo.nl
 492 telfort.nl
 545 xs4all.nl
1440 kpn.net
7490 hetnet.nl
12030 planet.nl
15670 direct-adsl.nl

If I am not mistaken the big-numbers are all KPN based subscriptions.

I was just switched to the Dutch pool, as I was mistakenly added to the US pool because of the origin of my IP address. I can confirm this is still a thing. I started searching because right after the switch I suddenly received all this traffic on port 37 and found this post. Are these all powerlineadapters sold by KPN that haven’t had a reboot since 2019? That’s crazy. Can’t we solve this with a nationwide blackout ;).

It’s still not “fixed”
There are many many IPs who are knocking on UDP 37 on my server in amsterdam which looks like a DDos…

From what I see, it’s a virus attacking or old systems using the Time Protocol that shouldn’t be used anymore.

I wouldn’t care to much about it and simply drop them in your firewall.