NTP attack?

Unanswered Question
Aug 20th, 2009

Hi Guys,

Would you please help with this logs:

Aug 20 11:49:02.242: NTP Core (NOTICE): ntp_receive: dropping message: unsynch.

Aug 20 11:49:19.170: NTP Core (NOTICE): ntp_receive: dropping message: unsynch.

The device is a NTP master for the network. Is there an NTP atack going on?

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
slmansfield Thu, 08/20/2009 - 08:31

I don't think so. There are a number of reasons why NTP synchronization is failing.

If your Cisco device is configured as the NTP MASTER, it will override a valid time source. Configuring multiple machines in the same network with the ntp master command can cause instability in timekeeping if the machines do not agree on the time.

You might consider configuring your "master" with an NTP server that is on the Internet. Cisco devices are not really meant to be authoritative time sources.

You might also check authentication if you're using it, and any NTP access-list entries to ensure that they are correct. Also, any firewalls between your NTP server and other devices should allow UDP port 123 in both directions.

Here is a URL that provides details on how to configure NTP. I find that many problems can be traced to configuration errors.

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001202

HTH

Actions

This Discussion