02-22-2018 01:18 AM - edited 03-01-2019 08:44 AM
Hi,
Could anybody can suggest me to restrict the ntp mode 6 queries in cisco devices like Nexus 5548, catalyst 3850 etc..
Thanks in advance..
Laxi
02-22-2018 02:09 AM
Hi there,
If you are concerned about the NTP mode 6 amplification attack, then the only short term solutions available to you are to configure NTP access-groups, interfaces ACLs and CoPP. All of these workarounds are vulnerable to the fact that a source address can be spoofed.
The long term fix is to upgrade your IOS/ IOS-XE version to one which implements the following command:
! ntp allow mode control xx !
cheers,
Seb.
04-26-2018 10:54 AM
You can add an ACL, permitting your NTP servers and deny everything else, allowing only time requests and blocking control queries.
Example:
--------------------------------------
ip access-list extended NTP
permit ip host 10.1.1.1 any
permit ip any host 10.1.1.1
permit ip host 10.1.1.2 any
permit ip any host 10.1.1.2
permit ip host 10.1.1.3 any
permit ip any host 10.1.1.3
ntp access-group serve-only NTP
--------------------------------------
06-09-2022 08:27 AM
Hello,
When I use ntp access-group serve-only NTP as above, my working NTP stops despite I permit my server IP with the ACL.
--------------------------------------------
Extended IP access list NTP
10 permit ip host 10.1.1.1 any (22 matches)
20 permit ip any host 10.1.1.1
30 deny ip any any
ntp access-group serve-only NTP
ntp server 10.1.1.1
---------------------------------------------
below are the debug messages I see despite getting the hit counts on the permit statement. There is no authentication setup on the server.
----------------------------------------------
.Jun 9 13:21:28.657: NTP message sent to 10.1.1.1, from interface 'GigabitEthernet0/0/2.1118' (10.1.1.2).
.Jun 9 13:21:28.657: NTP message received from 10.1.1.1 on interface 'GigabitEthernet0/0/2.1118' (10.1.1.2).
.Jun 9 13:21:28.657: NTP Core(DEBUG): ntp_receive: message received
.Jun 9 13:21:28.657: NTP Core(DEBUG): ntp_receive: peer is 0x80007F2F38BB3168, next action is 1.
.Jun 9 13:21:28.657: NTP Core(INFO): 10.1.1.1 803C 8C bad_auth digest
.Jun 9 13:21:28.657: NTP Core(NOTICE): ntp_receive: dropping message: Access control denied.
----------------------------------------------
Please advise.
SD
09-03-2019 01:06 AM
09-03-2019 01:18 AM
Hi there,
The mode value is sent in NTP query packets. Queries marked with a mode value of 6 are NTP Control Messages. The response will contain the NTP servers state along with a list of known peers.
Crucially the response is larger than the request. When a request comes from a source which is spoofed this can be used in a DDOS attack.
cheers,
Seb.
09-03-2019 01:26 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide