Solved: Thanks Xander,That certainly

Michael Gehrmann · ‎04-01-2014

Hi Everyone,

I was suprised to find some IP addresses of our ASR9K devices listed as responding to ntp from AusCERT.

My only ntp config is:

RP/0/RSP0/CPU0:asr9006-01#sh run ntp
Wed Apr 2 11:49:45.393 EST
ntp
peer 10.x.y.z version 2 source MgmtEth0/RSP0/CPU0/0
!

So I'm wondering what the recommended way to protect the ASR9K is? Is it ACL or NTP config. I've checked the hardening guide but it's not conclusive i.e.

NTP services are disabled on all interfaces in Cisco IOS XR Software by default. Administrators should enable it only on the specific interface when necessary. When NTP is enabled globally, administrators can selectively prevent NTP packets from being received through a specific interface by turning off NTP on a given interface, as shown in the following example:

Any guidance is appreciated.

Mike

xthuijs · ‎04-02-2014

Hi Mike,

ntp authentication is not helping that much it is merely to validate the server ('s validity) rather then it protects this client.

The ACL on NTP can be used, but that is applied at the sw level, so may not be all that helpful.

What you probably can or want to do is the following.

You define your servers that you want to connect with, then LPTS will associate them with the NTP-KNOWN policier. All other clients will follow LPTS policer NTP-default.

Example, config used:

ntp
server 3.0.0.1
!

LPTS entries:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry brief location 0/0/cPU0   | i 123
Wed Apr 2 07:54:53.996 EDT
32     IPV4 default      UDP    any             LU(30) any,123 3.0.0.1,any << yes we like that
204    IPV4 default      UDP    any             LU(30) any,123 any,any << crap this we need to close of!

The policer entry for the 3.0.0.1 is :

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry loc 0/0/cPU0 | be 3.0.0.1
Wed Apr 2 07:55:55.137 EDT
Source IP         : 3.0.0.1
Is Fragment       : 0
Interface         : any
M/L/T/F           : 0/IPv4_LISTENER/0/NTP-known <<<
DestNode          : 48
DestAddr          : 48
SID               : 7
L4 Protocol       : UDP
Source port       : Port:any
Destination Port : 123
Ct                : 0x613110
Accepted/Dropped : 0/0
Lp/Sp             : 1/255
# of TCAM entries : 1
HPo/HAr/HBu/Cir   : 14876884/200pps/200ms/200pps
State             : Entry in TCAM
Rsp/Rtp           : 26/40

The LPTS Policer values are defined as:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware police location 0/0/cPU0 | i NTP
Wed Apr 2 07:57:29.351 EDT
NTP-default 126 Static 200 200 0 0 01234567
NTP-known 180 Static 200 200 0 0 01234567

So if we set NTP-default with config

lpts pifib hardware police
flow ntp default rate 1

you are in good shape.

makes sense?

regards

xander

View solution in original post

xthuijs · ‎04-02-2014

Hi Mike,

ntp authentication is not helping that much it is merely to validate the server ('s validity) rather then it protects this client.

The ACL on NTP can be used, but that is applied at the sw level, so may not be all that helpful.

What you probably can or want to do is the following.

You define your servers that you want to connect with, then LPTS will associate them with the NTP-KNOWN policier. All other clients will follow LPTS policer NTP-default.

Example, config used:

ntp
server 3.0.0.1
!

LPTS entries:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry brief location 0/0/cPU0   | i 123
Wed Apr 2 07:54:53.996 EDT
32     IPV4 default      UDP    any             LU(30) any,123 3.0.0.1,any << yes we like that
204    IPV4 default      UDP    any             LU(30) any,123 any,any << crap this we need to close of!

The policer entry for the 3.0.0.1 is :

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry loc 0/0/cPU0 | be 3.0.0.1
Wed Apr 2 07:55:55.137 EDT
Source IP         : 3.0.0.1
Is Fragment       : 0
Interface         : any
M/L/T/F           : 0/IPv4_LISTENER/0/NTP-known <<<
DestNode          : 48
DestAddr          : 48
SID               : 7
L4 Protocol       : UDP
Source port       : Port:any
Destination Port : 123
Ct                : 0x613110
Accepted/Dropped : 0/0
Lp/Sp             : 1/255
# of TCAM entries : 1
HPo/HAr/HBu/Cir   : 14876884/200pps/200ms/200pps
State             : Entry in TCAM
Rsp/Rtp           : 26/40

The LPTS Policer values are defined as:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware police location 0/0/cPU0 | i NTP
Wed Apr 2 07:57:29.351 EDT
NTP-default 126 Static 200 200 0 0 01234567
NTP-known 180 Static 200 200 0 0 01234567

So if we set NTP-default with config

lpts pifib hardware police
flow ntp default rate 1

you are in good shape.

makes sense?

regards

xander

Michael Gehrmann · ‎04-02-2014

Thanks Xander,

That certainly has helped and resolved the issue. What is not clear on the security/hardening guidelines is what the best way to do things is. You have to read everything, test it and then come up with your plan. Is there anyone who has a recommended guide for securing Internet routers without having to become an expert first to understand how to apply it?

Regards
Mike

tgimmel-metro · ‎04-10-2014

xander,

flow ntp default rate 1

where did the "1" come from?

--Tim

tgimmel-metro · ‎04-10-2014

I see now its the rate in pps.

--Tim

xthuijs · ‎04-10-2014

sorry for the late reply Tim, but yes this is in PPS.

setting it to zero is possible I believe but due to the way the policer works there is always a burst of 1 so completely blocking it is not possible with lpts.

If this is very very important to get it to zero, then an ACL or policer via MQC with xmit, violate and exceed actions set to drop.

cheers

xander

Michael Gehrmann · ‎04-10-2014

NTP still responds without an interface ACL. How do we disable the ntp server?

xthuijs · ‎04-10-2014

that is correct, that process is started by default.

Here is an example to shutdown the process and how to work that:

regards

xander

RP/0/RSP0/CPU0:A9K-BNG#process shutdown ntpd
Thu Apr 10 20:40:44.869 EDT
Process Shutdown of a process could leave the System in an Inconsistent State. Proceed? [confirm]RP/0/RSP0/CPU0:Apr 10 20:40:45.685 : sysmgr_control[65889]: %OS-SYSMGR-4-PROC_SHUTDOWN_NAME : User root (con0_RSP0_CPU0) requested a shutdown of process ntpd at 0/RSP0/CPU0

RP/0/RSP0/CPU0:A9K-BNG#show proc | i ntp
Thu Apr 10 20:41:01.103 EDT
RP/0/RSP0/CPU0:A9K-BNG#process start ntpd
Thu Apr 10 20:41:12.291 EDT
RP/0/RSP0/CPU0:Apr 10 20:41:12.313 : sysmgr_control[65737]: %OS-SYSMGR-4-PROC_START_NAME : User root (con0_RSP0_CPU0) requested a start of process ntpd at 0/RSP0/CPU0
RP/0/RSP0/CPU0:A9K-BNG#show proc | i ntp
Thu Apr 10 20:41:14.867 EDT
262    1    3   92K 10 Receive        0:00:00:0543    0:00:00:0041 ntpd
262    2    1   92K 10 Receive        0:00:02:0664    0:00:00:0000 ntpd
262    3    2   92K 10 Receive        0:00:02:0658    0:00:00:0000 ntpd
262    4    2   92K 10 Nanosleep      0:00:00:0654    0:00:00:0000 ntpd
262    5    2   92K 10 Receive        0:00:02:0585    0:00:00:0000 ntpd
262    6    2   92K 10 Receive        0:00:01:0545    0:00:00:0000 ntpd
262    7    3   92K 10 Receive        0:00:02:0572    0:00:00:0000 ntpd
262    8    3   92K 10 Receive        0:00:02:0548    0:00:00:0000 ntpd
262    9    2   92K 10 Receive        0:00:02:0538    0:00:00:0000 ntpd
RP/0/RSP0/CPU0:A9K-BNG#

Protecting ASR9K from ntp attacks