You can minimize NTP

Daniel-nl · ‎09-29-2014

Hi,

We have lots of Cisco IOS devices (2800/2900 routers and some 3750 Catalyst switches), and need to secure them against NTP reflection attacks.

Actually, there are 2 kind of attacks:

NTP Mode 7 query for MONLIST
NTP Mode 6 query for READVAR *)

While mode 7 queries are easy to handle with ntp access-lists, mode 6 queries are still possible. This is an output of a Cisco IOS Router with configured ntp access-lists:

-bash-4.1$ ntpq -c rv XX.XX.XX.XX
assID=0 status=062c leap_none, sync_ntp, 2 events, event_12,
version="4", processor="unknown", system="UNIX", leap=00, stratum=3,
precision=-21, rootdelay=?, rootdisp=, refid=XX.XX.XX.XX,
reftime=d7d3e69d.9b75682c Mon, Sep 29 2014 16:09:33.607,
clock=d7d3e6a1.2f22b147 Mon, Sep 29 2014 16:09:37.184, peer=32663,
tc=10, mintc=3, offset=?, frequency=?, sys_jitter=, clk_jitter=,

Is there a way to prevent an IOS device to answer to mode 6 queries without configuring access lists directly at the WAN ports to discard all incoming UDP traffic to port 123?

Thank you in advance.

*) https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version

Leo Laohoo · ‎09-29-2014

You can minimize NTP magnification attacks in several ways:

1. Get a firewall/IPS/IDS;

2. Use a Loopback IP Address and specify/allow the subnet the Loopback IP address for SNTP/NTP using ACL;

3. Create an NTP authentication.

Daniel-nl · ‎10-01-2014

In this case, it is a confirmed and already fixed bug:

https://tools.cisco.com/bugsearch/bug/CSCuj66318

cwarren4101 · ‎04-04-2017

Shadowhawk this issue does not appear to be fixed in current versions of IOS-XE 03.06.06E, 150-2.SG11, and so on. Would you know if Cisco intends to update the NTP code being embedded into IOS, IOS-XE, and so on?

NTP Security on IOS devices