Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Protecting ASR9K from ntp attacks

Hi Everyone,

I was suprised to find some IP addresses of our ASR9K devices listed as responding to ntp from AusCERT.

My only ntp config is:

RP/0/RSP0/CPU0:asr9006-01#sh run ntp
Wed Apr  2 11:49:45.393 EST
ntp
 peer 10.x.y.z version 2 source MgmtEth0/RSP0/CPU0/0
!

So I'm wondering what the recommended way to protect the ASR9K is? Is it ACL or NTP config. I've checked the hardening guide but it's not conclusive i.e.

NTP services are disabled on all interfaces in Cisco IOS XR Software by default. Administrators should enable it only on the specific interface when necessary. When NTP is enabled globally, administrators can selectively prevent NTP packets from being received through a specific interface by turning off NTP on a given interface, as shown in the following example:

Any guidance is appreciated.

Mike

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Mike,ntp authentication is

Hi Mike,

ntp authentication is not helping that much it is merely to validate the server ('s validity) rather then it protects this client.

The ACL on NTP can be used, but that is applied at the sw level, so may not be all that helpful.

What you probably can or want to do is the following.

You define your servers that you want to connect with, then LPTS will associate them with the NTP-KNOWN policier. All other clients will follow LPTS policer NTP-default.

 

Example, config used:

ntp
 server 3.0.0.1
!

LPTS entries:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry brief location 0/0/cPU0   | i 123
Wed Apr  2 07:54:53.996 EDT
32     IPV4 default      UDP    any             LU(30) any,123 3.0.0.1,any << yes we like that
204    IPV4 default      UDP    any             LU(30) any,123 any,any << crap this we need to close of!

The policer entry for the 3.0.0.1 is :

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry loc 0/0/cPU0 | be 3.0.0.1        
Wed Apr  2 07:55:55.137 EDT
Source IP         : 3.0.0.1
Is Fragment       : 0
Interface         : any
M/L/T/F           : 0/IPv4_LISTENER/0/NTP-known <<<
DestNode          : 48
DestAddr          : 48
SID               : 7
L4 Protocol       : UDP
Source port       : Port:any
Destination Port  : 123
Ct                : 0x613110
Accepted/Dropped  : 0/0
Lp/Sp             : 1/255
# of TCAM entries : 1
HPo/HAr/HBu/Cir   : 14876884/200pps/200ms/200pps
State             : Entry in TCAM
Rsp/Rtp           : 26/40

 

The LPTS Policer values are defined as:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware police location 0/0/cPU0  | i NTP
Wed Apr  2 07:57:29.351 EDT
NTP-default            126     Static  200        200        0                    0                    01234567            
NTP-known              180     Static  200        200        0                    0                    01234567         

 

So if we set NTP-default with config

lpts pifib hardware police
 flow ntp default rate 1

you are in good shape.

 

makes sense?

regards

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
7 REPLIES
Cisco Employee

Hi Mike,ntp authentication is

Hi Mike,

ntp authentication is not helping that much it is merely to validate the server ('s validity) rather then it protects this client.

The ACL on NTP can be used, but that is applied at the sw level, so may not be all that helpful.

What you probably can or want to do is the following.

You define your servers that you want to connect with, then LPTS will associate them with the NTP-KNOWN policier. All other clients will follow LPTS policer NTP-default.

 

Example, config used:

ntp
 server 3.0.0.1
!

LPTS entries:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry brief location 0/0/cPU0   | i 123
Wed Apr  2 07:54:53.996 EDT
32     IPV4 default      UDP    any             LU(30) any,123 3.0.0.1,any << yes we like that
204    IPV4 default      UDP    any             LU(30) any,123 any,any << crap this we need to close of!

The policer entry for the 3.0.0.1 is :

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware entry loc 0/0/cPU0 | be 3.0.0.1        
Wed Apr  2 07:55:55.137 EDT
Source IP         : 3.0.0.1
Is Fragment       : 0
Interface         : any
M/L/T/F           : 0/IPv4_LISTENER/0/NTP-known <<<
DestNode          : 48
DestAddr          : 48
SID               : 7
L4 Protocol       : UDP
Source port       : Port:any
Destination Port  : 123
Ct                : 0x613110
Accepted/Dropped  : 0/0
Lp/Sp             : 1/255
# of TCAM entries : 1
HPo/HAr/HBu/Cir   : 14876884/200pps/200ms/200pps
State             : Entry in TCAM
Rsp/Rtp           : 26/40

 

The LPTS Policer values are defined as:

RP/0/RSP0/CPU0:A9K-BNG#show lpts pifib hardware police location 0/0/cPU0  | i NTP
Wed Apr  2 07:57:29.351 EDT
NTP-default            126     Static  200        200        0                    0                    01234567            
NTP-known              180     Static  200        200        0                    0                    01234567         

 

So if we set NTP-default with config

lpts pifib hardware police
 flow ntp default rate 1

you are in good shape.

 

makes sense?

regards

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

Thanks Xander,That certainly

Thanks Xander,

That certainly has helped and resolved the issue. What is not clear on the security/hardening guidelines is what the best way to do things is. You have to read everything, test it and then come up with your plan. Is there anyone who has a recommended guide for securing Internet routers without having to become an expert first to understand how to apply it?

Regards
Mike

New Member

xander,flow ntp default rate

xander,

flow ntp default rate 1

where did the "1" come from?

 

--Tim

New Member

I see now its the rate in pps

I see now its the rate in pps.

 

--Tim

Cisco Employee

sorry for the late reply Tim,

sorry for the late reply Tim, but yes this is in PPS.

setting it to zero is possible I believe but due to the way the policer works there is always a burst of 1 so completely blocking it is not possible with lpts.

If this is very very important to get it to zero, then an ACL or policer via MQC with xmit, violate and exceed actions set to drop.

 

cheers

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

NTP still responds without an

NTP still responds without an interface ACL. How do we disable the ntp server?

Cisco Employee

that is correct, that process

that is correct, that process is started by default.

Here is an example to shutdown the process and how to work that:

regards

xander

RP/0/RSP0/CPU0:A9K-BNG#process shutdown ntpd
Thu Apr 10 20:40:44.869 EDT
Process Shutdown of a process could leave the System in an Inconsistent State. Proceed? [confirm]RP/0/RSP0/CPU0:Apr 10 20:40:45.685 : sysmgr_control[65889]: %OS-SYSMGR-4-PROC_SHUTDOWN_NAME : User root (con0_RSP0_CPU0) requested a shutdown of process ntpd at 0/RSP0/CPU0

RP/0/RSP0/CPU0:A9K-BNG#show proc | i ntp    
Thu Apr 10 20:41:01.103 EDT
RP/0/RSP0/CPU0:A9K-BNG#process start ntpd   
Thu Apr 10 20:41:12.291 EDT
RP/0/RSP0/CPU0:Apr 10 20:41:12.313 : sysmgr_control[65737]: %OS-SYSMGR-4-PROC_START_NAME : User root (con0_RSP0_CPU0) requested a start of process ntpd at 0/RSP0/CPU0
RP/0/RSP0/CPU0:A9K-BNG#show proc | i ntp
Thu Apr 10 20:41:14.867 EDT
262    1    3   92K  10 Receive        0:00:00:0543    0:00:00:0041 ntpd
262    2    1   92K  10 Receive        0:00:02:0664    0:00:00:0000 ntpd
262    3    2   92K  10 Receive        0:00:02:0658    0:00:00:0000 ntpd
262    4    2   92K  10 Nanosleep      0:00:00:0654    0:00:00:0000 ntpd
262    5    2   92K  10 Receive        0:00:02:0585    0:00:00:0000 ntpd
262    6    2   92K  10 Receive        0:00:01:0545    0:00:00:0000 ntpd
262    7    3   92K  10 Receive        0:00:02:0572    0:00:00:0000 ntpd
262    8    3   92K  10 Receive        0:00:02:0548    0:00:00:0000 ntpd
262    9    2   92K  10 Receive        0:00:02:0538    0:00:00:0000 ntpd
RP/0/RSP0/CPU0:A9K-BNG#

 

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
399
Views
0
Helpful
7
Replies