[c-nsp] NTP DDoS

Charles Spurgeon c.spurgeon at austin.utexas.edu
Tue Feb 18 11:36:44 EST 2014

On Tue, Feb 18, 2014 at 04:53:44AM +0200, Mark Tinka wrote:
> On Tuesday, February 18, 2014 04:29:31 AM Aaron wrote:
> > My gosh!  NTP ddos attacks are coming like crazy lately. 
> > Y'all getting hit ?
> > 
> > I'm going to need to setup a bgp injection thingy with my
> > upstream providers to signal a /32 for my victim(s) in
> > my network so I can selective blackhole traffic in the
> > cloud prior to it hitting my internet links..... this is
> > getting really bad
> It's been an issue since early last month.
> Be sure to have ACL's for your NTP sessions from your 
> routers/switches/AP's/e.t.c., as well as patched 
> NTP/filtered servers to eliminate attack surfaces.

BTW, our attempts to filter NTP on 6500s running 15.1(1)SY1 and
15.1(2)SY1 IOS code have been unsuccessful due to bug CSCuj66318:
"After applying an NTP access-group to deny inbound NTP queries, a
device still responds to NTP queries as if the ACL was not configured."

The bugID states that it only affects 15.2 code, but it also affects
15.1. This also affects 15.1 code on 4500s and 15.2 code on 3560s.

Bug severity set by Cisco to "Severity: 3 Moderate"

Cisco definition for Moderate severity level:
"Things fail under unusual circumstances, or minor features do not work
at all, or things fail but there is a low-impact workaround. This is
the highest level for documentation bugs."


Charles E. Spurgeon
University of Texas at Austin / ITS Networking
c.spurgeon at its.utexas.edu / 512.475.9265

More information about the cisco-nsp mailing list