cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

47169
Views
55
Helpful
5
Replies

How to restrict ntp mode 6 queries

Hi,

Could anybody can suggest me to restrict the ntp mode 6 queries in cisco devices like Nexus 5548, catalyst 3850 etc..

 

Thanks in advance..

Laxi

5 REPLIES 5
Seb Rupik
VIP Advisor

Hi there,
If you are concerned about the NTP mode 6 amplification attack, then the only short term solutions available to you are to configure NTP access-groups, interfaces ACLs and CoPP. All of these workarounds are vulnerable to the fact that a source address can be spoofed.
The long term fix is to upgrade your IOS/ IOS-XE version to one which implements the following command:

 

!
ntp allow mode control xx
!

cheers,

Seb.

estefanoni
Beginner

You can add an ACL, permitting your NTP servers and deny everything else, allowing only time requests and blocking control queries.

 

Example:

--------------------------------------

ip access-list extended NTP

permit ip host 10.1.1.1 any

permit ip any host 10.1.1.1 

permit ip host 10.1.1.2 any

permit ip any host 10.1.1.2

permit ip host 10.1.1.3 any

permit ip any host 10.1.1.3

 

ntp access-group serve-only NTP

--------------------------------------

Rachel Lee
Cisco Employee

Re: what is NTP mode 6 ?

Hi there,

The mode value is sent in NTP query packets. Queries marked with a mode value of 6 are NTP Control Messages. The response will contain the NTP servers state along with a list of known peers.

Crucially the response is larger than the request. When a request comes from a source which is spoofed this can be used in a DDOS attack.

 

cheers,

Seb.

Thank you so much for your help!
Content for Community-Ad
This widget could not be displayed.