05-02-2017 01:02 AM - edited 03-20-2019 09:20 PM
FYI: We are running IOS 15.2(4)E2 on our switch, but Nessus scan detected mode 6 still enabled in this IOS, although "15.2(4)E" is in Fixed releases.
Solved! Go to Solution.
05-08-2017 01:01 PM
I ran into this problem as well. New versions that have been fixed for this bug will still reply to NTP mode 6 requests, but they are now rate limited to avoid the amplification attack. See below.
• CSCum44673
Old behavior: By default it was allowed with no rate control through which hackers can bombard the router and ntp process.
New behavior: by default mode 6 control packets getting allowed with 3 second rate control. If required user can disable with no ntp allow mode control CLI
05-08-2017 01:01 PM
I ran into this problem as well. New versions that have been fixed for this bug will still reply to NTP mode 6 requests, but they are now rate limited to avoid the amplification attack. See below.
• CSCum44673
Old behavior: By default it was allowed with no rate control through which hackers can bombard the router and ntp process.
New behavior: by default mode 6 control packets getting allowed with 3 second rate control. If required user can disable with no ntp allow mode control CLI
05-09-2017 02:24 AM
Thanks, that explains it. I didn't notice that in release notes.
09-10-2019 09:03 AM
When applying no ntp allow mode control, does this allow mode 6 queries without rate control effectively opening back up the vulnerability?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide