cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4283
Views
0
Helpful
14
Replies

NTP services running on internet routers

manse0081
Level 1
Level 1

Hi

 

Two internet routers Version 15.5(3)S4b &  ISR4431/K9.

We have configured only : NTP server 132.163.96.5  & not enable any NTP services on both routers.

But we are getting in tool :  NTP services running on internet routers.

 

Plz help

 

Thanks

manse

14 Replies 14

Mark Elsen
Hall of Fame
Hall of Fame

 

 - Please elaborate , I find your question not clear.

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    The moment you configure a router as NTP server (ntp master), or as NTP client (ntp server x.x.x.x), or as NTP peer (ntp peer x.x.x.x), it's gonna open the NTP socket, start listening on UDP 123. You can verify this by "show control-plane host open-ports".


Regards,
Cristian Matei.

manse

 

I am not clear whether finding ntp services running on your routers is an issue, or is just a surprise. @Cristian Matei is exactly right that when you configure the router with ntp server so that your router will learn authoritative ntp time, then ntp services are inherently started on your router. If that is an issue, and if you want to restrict your router to learning ntp time but not sharing ntp time then you should look into configuring ntp access groups to limit what your router will do.

HTH

Rick

Hi Matei,

 

We have configured NTP Client (NTP server x.x.x.x) only.

 

Internal security scan you found your router is vulnerable for ntp mode 6 vulnerability ( ntp mode 6 Botnet infections/vulnerable services ).

Internet Security found NTP service is running for Internet routers.

 

Regards

Manse

Hello,

 

on a side note, you might want to have a look at the bug below:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum44673/?rfs=iqvred

Hi Georg,

 

Please suggest which version we need to IOS upgrade, 

Any other suggestion acl or IOS upgrade 

 

Thanks 

 

Hi Georg,

 

Please suggest which version we need to IOS upgrade, 

Any other suggestion acl or IOS upgrade 

 

Thanks 

 

 

 - IOS Is known to have security bugs concerning NTP ; alternative architecture would be Intranet-NTP server/services  -> DMZ-Ntp server -> ISP-Ntp services. Benefit also is that the NTP architecture becomes separate from routing and switching services.

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Hi 

 

We have test with tool and we have received router and switch NTP services are running.

 

4 devices are synchronized with outside NTP server : NTP server 132.163.96.5

 

Kindly find attachment file.

Hi,

 

   An IOS upgrade will not make UDP port 123 to be closed. You have the following options, from recommended to least recommended:

       1. use internal NTP servers, and have an inbound ACL on your ISP facing interface, where you drop traffic destined to the router on UDP 123

      2. use external NTP servers, and configure ZBFW with a self-->outside policy, where you inspect egress NTP packets sot that only return packets are allowed, so the Internet NTP servers cannot initiate a session towards your router

     3. use external NTP servers, and have an inbound ACL on your ISP facing interface, where you allow NTP traffic ONLY from your configured NTP servers.

 

Regards,

Cristian Matei.

Manse has explained that the issue is that their security team has run a scan and has identified a vulnerability associated with running ntp on their router. I do not believe that any of the suggestions from @Cristian Matei really address this. I believe that there is one other alternative to consider which is to configure ntp access groups which can limit (or prevent) the router providing ntp time to any other devices. And I am not clear whether this suggestion would be adequate to satisfy their security team.

HTH

Rick

Hi,

 

  @Richard Burts  "ntp mode 6 Botnet infections/vulnerable services" is a generic message, it is not really bound to a specific attack vector; it's pretty much saying that he's running NTP, which we know is vulnerable. The solution is for him to run a stable good, which "guarantees' less bugs and apply a solution to secure the NTP service as best as possible; alternatives would be the ones i mentioned or the NTP access-class, as you specified.

  The moment you expose your router to the Internet for NTP, you can just forget about the security and stability of that device. You could combine it with CPPr to save the CPU, but you're still vulnerable, as this is how NTP is.


Regards,

Cristian Matei.

Hi

 

I am total confused ?

 

My internal server are ntp synchronized with internet Router1 and Router2

My internet Routers and Switchs are ntp synchronized with Outside NTP server.

 

Internal security scan you found your router is vulnerable for ntp mode 6 vulnerability ( ntp mode 6 Botnet infections/vulnerable services ).

We are found 4 devices NTP services running.

 

 

 

Hi,

 

    You just need to secure the NTP service, as now it's wide open and anyone can access it. You were given couple of options above.

 

Regards,

Cristian Matei.