Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NTP Security on IOS devices

Hi,

We have lots of Cisco IOS devices (2800/2900 routers and some 3750 Catalyst switches), and need to secure them against NTP reflection attacks.

Actually, there are 2 kind of attacks:

  1. NTP Mode 7 query for MONLIST
  2. NTP Mode 6 query for READVAR *)

While mode 7 queries are easy to handle with ntp access-lists, mode 6 queries are still possible. This is an output of a Cisco IOS Router with configured ntp access-lists:

-bash-4.1$ ntpq -c rv XX.XX.XX.XX
assID=0 status=062c leap_none, sync_ntp, 2 events, event_12,
version="4", processor="unknown", system="UNIX", leap=00, stratum=3,
precision=-21, rootdelay=?, rootdisp=, refid=XX.XX.XX.XX,
reftime=d7d3e69d.9b75682c  Mon, Sep 29 2014 16:09:33.607,
clock=d7d3e6a1.2f22b147  Mon, Sep 29 2014 16:09:37.184, peer=32663,
tc=10, mintc=3, offset=?, frequency=?, sys_jitter=, clk_jitter=,

Is there a way to prevent an IOS device to answer to mode 6 queries without configuring access lists directly at the WAN ports to discard all incoming UDP traffic to port 123?

Thank you in advance.

 

*) https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version

3 REPLIES
Hall of Fame Super Gold

You can minimize NTP

You can minimize NTP magnification attacks in several ways: 

 

1.  Get a firewall/IPS/IDS;

2.  Use a Loopback IP Address and specify/allow the subnet the Loopback IP address for SNTP/NTP using ACL; 

3.  Create an NTP authentication.

New Member

In this case, it is a

In this case, it is a confirmed and already fixed bug:

https://tools.cisco.com/bugsearch/bug/CSCuj66318

New Member

Shadowhawk this issue does

Shadowhawk this issue does not appear to be fixed in current versions of IOS-XE 03.06.06E, 150-2.SG11, and so on. Would you know if Cisco intends to update the NTP code being embedded into IOS, IOS-XE, and so on?

1981
Views
0
Helpful
3
Replies
CreatePlease to create content