11-06-2017 12:16 PM - edited 02-21-2020 06:39 AM
Dears plz i want your support to this issue
=: An NTP control (mode 6) message with the UNSETTRAP (31) opcode with an unknown association identifier will cause NTP to respond with two packets -- one error response packet indicating that the association identifier was invalid followed by another nonerror, largely empty response. Because the number of packets sent as the response is greater than the single packet request, this can be used to conduct a DRDoS attack using vulnerable NTP servers as the unwitting third parties.
Apply a restrict option to all hosts that are not authorized to perform NTP queries. For example, to deny query requests from all clients, put the following in the NTP configuration file, typically /etc/ntp.conf, and restart the NTP service:
Solved! Go to Solution.
11-06-2017 11:11 PM
11-06-2017 05:19 PM
Hi @mohamed.ali
Which device we are talking about? Switch, router, firewall, etc?
Looks like someone ran an audit tool and asked you to fix this right?
-If I helped you somehow, please, rate it as useful.-
11-06-2017 11:11 PM
11-08-2017 04:38 PM
Hi,
Are you using the switch as ntp master? if so, then you will need to restrict who can query that switch.Create an access-list with addresses that are allowed to query time and apply to ntp access-group serve-only e.g.
access-list 10 permit 192.168.10.0 0.0.0.255
ntp access-group serve-only 10
you can then create an access-list with deny any and apply it using the ntp access-group serve and ntp access-group query-only.
configure you ntp servers and you can use ntp access-group peer to restrict the address your switch will get time from.
thanks
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: