topic Re: NTP Master problem in Network Security

NTP Master problem

mohamed.ali — Fri, 21 Feb 2020 14:39:31 GMT

Dears plz i want your support to this issue

=: An NTP control (mode 6) message with the UNSETTRAP (31) opcode with an unknown association identifier will cause NTP to respond with two packets -- one error response packet indicating that the association identifier was invalid followed by another nonerror, largely empty response. Because the number of packets sent as the response is greater than the single packet request, this can be used to conduct a DRDoS attack using vulnerable NTP servers as the unwitting third parties.

Apply a restrict option to all hosts that are not authorized to perform NTP queries. For example, to deny query requests from all clients, put the following in the NTP configuration file, typically /etc/ntp.conf, and restart the NTP service:

Re: NTP Master problem

Flavio Miranda — Tue, 07 Nov 2017 01:19:50 GMT

Hi @mohamed.ali

Which device we are talking about? Switch, router, firewall, etc?

Looks like someone ran an audit tool and asked you to fix this right?

-If I helped you somehow, please, rate it as useful.-

Re: NTP Master problem

mohamed.ali — Tue, 07 Nov 2017 07:11:37 GMT

exactly dear,

please note that it's coreSW Catalyst 6807

how can i solve this issue?

Re: NTP Master problem

johnd2310 — Thu, 09 Nov 2017 00:38:09 GMT

Hi,

Are you using the switch as ntp master? if so, then you will need to restrict who can query that switch.Create an access-list with addresses that are allowed to query time and apply to ntp access-group serve-only e.g.

access-list 10 permit 192.168.10.0 0.0.0.255

ntp access-group serve-only 10

you can then create an access-list with deny any and apply it using the ntp access-group serve and ntp access-group query-only.

configure you ntp servers and you can use ntp access-group peer to restrict the address your switch will get time from.

thanks

John