Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NTP Security on IOS devices


We have lots of Cisco IOS devices (2800/2900 routers and some 3750 Catalyst switches), and need to secure them against NTP reflection attacks.

Actually, there are 2 kind of attacks:

  1. NTP Mode 7 query for MONLIST
  2. NTP Mode 6 query for READVAR *)

While mode 7 queries are easy to handle with ntp access-lists, mode 6 queries are still possible. This is an output of a Cisco IOS Router with configured ntp access-lists:

-bash-4.1$ ntpq -c rv XX.XX.XX.XX
assID=0 status=062c leap_none, sync_ntp, 2 events, event_12,
version="4", processor="unknown", system="UNIX", leap=00, stratum=3,
precision=-21, rootdelay=?, rootdisp=, refid=XX.XX.XX.XX,
reftime=d7d3e69d.9b75682c  Mon, Sep 29 2014 16:09:33.607,
clock=d7d3e6a1.2f22b147  Mon, Sep 29 2014 16:09:37.184, peer=32663,
tc=10, mintc=3, offset=?, frequency=?, sys_jitter=, clk_jitter=,

Is there a way to prevent an IOS device to answer to mode 6 queries without configuring access lists directly at the WAN ports to discard all incoming UDP traffic to port 123?

Thank you in advance.



Hall of Fame Super Gold

You can minimize NTP

You can minimize NTP magnification attacks in several ways: 


1.  Get a firewall/IPS/IDS;

2.  Use a Loopback IP Address and specify/allow the subnet the Loopback IP address for SNTP/NTP using ACL; 

3.  Create an NTP authentication.

New Member

In this case, it is a

In this case, it is a confirmed and already fixed bug:

New Member

Shadowhawk this issue does

Shadowhawk this issue does not appear to be fixed in current versions of IOS-XE 03.06.06E, 150-2.SG11, and so on. Would you know if Cisco intends to update the NTP code being embedded into IOS, IOS-XE, and so on?

CreatePlease to create content