Any experience with an excessive number of ThunderVPN hits?

The issue is under review of Sophos Labs. 

Thank you.  There was a pattern update this AM to 18.18.58 but it didn't seem to address this.  Please keep us up to date.

So i need a tcpdump (pcap) of this traffic, like last time. 

tcpdump -ni any port 123 -b -w /tmp/thundervpn.pcap 

conntrack -L | grep 123 

any progres to report?

Ian

I cannot reproduce this on any of my firewalls. Therefor we need the dumps, as mentioned. 

I will see what I can capture. I see about 100 hits, but 288B of data (bytes) which makes capture difficult.

ian

I had a case open for this issue.  Support's answer was to have me create a workaround FW rule to allow NTP traffic at the top of the rule stack.  The tech led me to believe this was being worked on and to wait for a pattern update.  Not an acceptable answer, but eh, what else was I supposed to do?  So my case is closed now.

That said, I'd be happy to try and collect what you need, as I disabled that FW rule just now and no surprise I'm getting tons of blocks for Thunder VPN again on UDP/123.  

But, can you be a bit more specific on what to run and HOW to run the commands?  I tried the first command you mentioned above from CLI by SSH'ing into my FW, but the command doesn't run as you've got it typed.  The conntrak command doesn't seem to exist, as I recall when I tried it.  Glad to try and help if you can help me with more detail.

You need to perform both on the advanced Shell. Option 5 / 3. 

I've got a pcap file and the output from the conntrak command.  How can I get them to you?

You can send me a PM.

You can send me a PM.

I have the same problem. Every day 2-3K blocked connections due to ThunderVPN but I don't have this software installed on any device. The connected devices are an iPhone. Please help.  

Hi folks,

there appears to be some progress on this issue, while still seeing thundervpn in the daily report and the GUI, I am also seeing NTP  as being reported correctly in the daily reports.

The daily reports usually take at least 24 hours to catchup. I will investigate further.

Ian

Let me know what you did differently, I'm not seeing any dramatic improvement.  When I used the App rule to block level 5 (which I do) I see tens of thousands of Thunder VPN (Port 123) block exceptions every day.    I'm at 18.18.60.  So much that it impairs a number of IoT devices that depend on this.  I had to put a Thunder VPN App allow rule in to stabilize my system.  Would be REALLY NICE to see Sophos fix this.   Thanks

Those pattern are created by Sophos Labs. Therefore it is currently under investigation. If you have a pcap (Packet capture) of this NTP traffic, feel free to submit this: support.sophos.com/.../filesubmission

Hi,

I spoke too soon, today's report shows thundervpn thundering along and ump 123 back to unclassified. The interesting thing about this is on  my system it only affects the apple devices. The NTP server has its own rule and that traffic is not classified as thundervpn. I suppose I could disabled the IPS on the internal rules to remove the incorrect reporting.

Ian

The really stupid thing is not all NTP traffic is classified as thundervpn.

LuCar Toni - I sent you a PM on 10/6 with a pcap attached as well as a conntrak that captures this traffic.  Did you not get my PM?

I forwarded this pcap to Labs. But they have to analyze the traffic and find the root cause. More pcaps submitted by the process above would be helpful to find the pattern. 

I see, ok.  I submitted last night the same pcap and conntrak files at the file submission link you shared above.  It created a case (04501211).  Over night it was looked at and closed.  The comments for each file were "not detect-worthy" ... and the overall comment was "This means that after investigation and analysis of the file SophosLabs has come up to a result that the sample submitted is not malicious, not showing any malicious behaviour and properties."

I don't know what else to do here.  I opened a support case on this issue earlier in October.  After about 4 days I finally talked to a tech and he went down the workaround route for the issue for the time being, which I have done.  That case (04447658) was then closed.

It seems pretty straightforward here to me.  Someone at Sophos Labs needs to go back and see what changes were made in the 18.18.56 IPS/App signatures on 9/23 and roll them back with respect to NTP traffic on UDP/123 and Thunder VPN.  Why someone would blanket presume that well known UDP port 123 NTP traffic was Thunder VPN is beyond me.  I have multiple client devices on my network unable to get NTP updates with this issue present.  I have Apple products, I have Microsoft products, I have other IoT devices, I have Hikvision security cameras.  Heck, I can reproduce this AT WILL with my Apple MacBook Pro laptop.  There is no Thunder VPN in my network.  My Hikvision cameras do not have Thunder VPN on them.  But yet all ~35 endpoints on my network can't get NTP updates with this IPS/App filter post 18.18.56.

Feel free to take these two case numbers back internally and see what else you can do.  I appreciate the help as I don't know what else I can as a support paying Sophos XG customer.  But I'll tell you, this support experience (frankly it's my first real one) isn't leaving me with a positive impression.

Did you create a Submission or a Application Control Submission?
BTW: ThunderVPN uses Port 123 to connect. It is a cheap way to hide behind port based app controls. 

I submitted it as "Application Control" ... was that incorrect?  Should I choose "Sample File" instead?  Thanks for the added info on how Thunder VPN uses ports.