Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
86493
Views
63
Helpful
6
Replies

How to restrict ntp mode 6 queries

laxman.mandlapuram
Level 1
Level 1

‎02-22-2018 01:18 AM - edited ‎03-01-2019 08:44 AM

Hi,

Could anybody can suggest me to restrict the ntp mode 6 queries in cisco devices like Nexus 5548, catalyst 3850 etc..

 

Thanks in advance..

Laxi

9 people had this problem
Labels:
6 Replies 6

Seb Rupik
VIP Alumni
VIP Alumni

‎02-22-2018 02:09 AM

Hi there,
If you are concerned about the NTP mode 6 amplification attack, then the only short term solutions available to you are to configure NTP access-groups, interfaces ACLs and CoPP. All of these workarounds are vulnerable to the fact that a source address can be spoofed.
The long term fix is to upgrade your IOS/ IOS-XE version to one which implements the following command:

 

!
ntp allow mode control xx
!

cheers,

Seb.

estefanoni
Level 1
Level 1

‎04-26-2018 10:54 AM

You can add an ACL, permitting your NTP servers and deny everything else, allowing only time requests and blocking control queries.

 

Example:

--------------------------------------

ip access-list extended NTP

permit ip host 10.1.1.1 any

permit ip any host 10.1.1.1 

permit ip host 10.1.1.2 any

permit ip any host 10.1.1.2

permit ip host 10.1.1.3 any

permit ip any host 10.1.1.3

 

ntp access-group serve-only NTP

--------------------------------------

sakibD
Level 1
Level 1
In response to estefanoni

‎06-09-2022 08:27 AM

Hello,

 

When I use ntp access-group serve-only NTP as above, my working NTP stops despite I permit my server IP with the ACL.

 

--------------------------------------------

Extended IP access list NTP
10 permit ip host 10.1.1.1 any (22 matches)
20 permit ip any host 10.1.1.1
30 deny ip any any

 

ntp access-group serve-only NTP

ntp server 10.1.1.1

---------------------------------------------

below are the debug messages I see despite getting the hit counts on the permit statement. There is no authentication setup on the server.

----------------------------------------------

.Jun 9 13:21:28.657: NTP message sent to 10.1.1.1, from interface 'GigabitEthernet0/0/2.1118' (10.1.1.2).
.Jun 9 13:21:28.657: NTP message received from 10.1.1.1 on interface 'GigabitEthernet0/0/2.1118' (10.1.1.2).
.Jun 9 13:21:28.657: NTP Core(DEBUG): ntp_receive: message received
.Jun 9 13:21:28.657: NTP Core(DEBUG): ntp_receive: peer is 0x80007F2F38BB3168, next action is 1.
.Jun 9 13:21:28.657: NTP Core(INFO): 10.1.1.1 803C 8C bad_auth digest
.Jun 9 13:21:28.657: NTP Core(NOTICE): ntp_receive: dropping message: Access control denied.

----------------------------------------------

 

Please advise.

SD

0 Helpful

Rachel Lee
Cisco Employee
Cisco Employee

‎09-03-2019 01:06 AM

Re: what is NTP mode 6 ?
0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to Rachel Lee

‎09-03-2019 01:18 AM

Hi there,

The mode value is sent in NTP query packets. Queries marked with a mode value of 6 are NTP Control Messages. The response will contain the NTP servers state along with a list of known peers.

Crucially the response is larger than the request. When a request comes from a source which is spoofed this can be used in a DDOS attack.

 

cheers,

Seb.

Rachel Lee
Cisco Employee
Cisco Employee
In response to Seb Rupik

‎09-03-2019 01:26 AM

Thank you so much for your help!
0 Helpful
Customers Also Viewed These Support Documents