I'm running UTM 9 (latest version) on a PC as the firewall/router for my home network. My ISP is Comcast. Recently, I started using the Flow Monitor feature from the UTM Dashboard, and I've noticed some odd traffic that concerns me. I could use some advice on how to analyze this, and control it, if it is actually a problem.
The problem appears to be bursts of NTP traffic from the Internet to my WAN address that last about 5 minutes at a time. When they occur, they pretty much dwarf all my other traffic, according to the Flow Monitor chart. I don't know if this occurs at regular intervals or not. I should note that I am not running any NTP servers, either public or private, on my LAN, and I don't even have the UTM's NTP service turned on. My LAN includes Macs, IOS devices, TiVos, a PS3, and a wireless access point (secured with WPA2), but no Windows machines.
Here's an example of what I see in the Flow Monitor chart:
Chart.png
Here's the flow monitor table that corresponds to the chart:
Table.png
If I click on the NTP line in the table, I get a list of servers that looks like this:
Server Details.png
None of those computers are known to me. If I click on the traffic number in the NTP line of the chart, I get something like this:
Total Traffic for NTP
Download IN 81 MB
Upload OUT 83 MB
Does this mean something inside my LAN has sent 83 MB of NTP traffic out? I can't imagine what that would be, or why. Or is that just indicating that the incoming traffic has been "bounced back" at the UTM? Every time I check the total traffic, the download and upload values are very similar.
My first concern is the Block button in the Flow Monitor table. It does create a blocking rule in the Application Control Rules, but it doesn't reduce or eliminate the NTP traffic, according to the Flow Monitor chart/table. (If it's simply showing me the traffic hitting the UTM upstream of where the blocking rule is applied, then I wouldn't expect to see any change here.)
More concerning to me is that, if not for the Flow Monitor chart/table, I would have no idea this was even going on. None of this NTP traffic appears in my UTM firewall or intrusion protection logs. Even if I turn off the application control rule block, and add a firewall rule in position #1 to block and log Internet traffic to my External (WAN) address on TCP/UDP port 123 (the NTP port), it doesn't show up in the logs. However, I can go to the ShieldsUp website (grc.com) and manually probe port 123, and that does show up in the firewall log.
So, does anyone have an idea what's causing this traffic? If it's trying to get to something on my LAN, how do I figure out what the target is? What else should I be doing to try to capture/analyze this situation? If it's a problem, is there anything else I can do to control it? Any help would be appreciated.
This thread was automatically locked due to age.