cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21546
Views
25
Helpful
5
Replies
Highlighted

How to restrict ntp mode 6 queries

Hi,

Could anybody can suggest me to restrict the ntp mode 6 queries in cisco devices like Nexus 5548, catalyst 3850 etc..

 

Thanks in advance..

Laxi

5 REPLIES 5
VIP Advisor

Re: How to restrict ntp mode 6 queries

Hi there,
If you are concerned about the NTP mode 6 amplification attack, then the only short term solutions available to you are to configure NTP access-groups, interfaces ACLs and CoPP. All of these workarounds are vulnerable to the fact that a source address can be spoofed.
The long term fix is to upgrade your IOS/ IOS-XE version to one which implements the following command:

 

!
ntp allow mode control xx
!

cheers,

Seb.

Beginner

Re: How to restrict ntp mode 6 queries

You can add an ACL, permitting your NTP servers and deny everything else, allowing only time requests and blocking control queries.

 

Example:

--------------------------------------

ip access-list extended NTP

permit ip host 10.1.1.1 any

permit ip any host 10.1.1.1 

permit ip host 10.1.1.2 any

permit ip any host 10.1.1.2

permit ip host 10.1.1.3 any

permit ip any host 10.1.1.3

 

ntp access-group serve-only NTP

--------------------------------------

Cisco Employee

Re: what is NTP mode 6 ?

Re: what is NTP mode 6 ?
VIP Advisor

Re: what is NTP mode 6 ?

Hi there,

The mode value is sent in NTP query packets. Queries marked with a mode value of 6 are NTP Control Messages. The response will contain the NTP servers state along with a list of known peers.

Crucially the response is larger than the request. When a request comes from a source which is spoofed this can be used in a DDOS attack.

 

cheers,

Seb.

Cisco Employee

Re: what is NTP mode 6 ?

Thank you so much for your help!
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards