[c-nsp] NTP DDoS

Saku Ytti saku at ytti.fi
Tue Feb 18 12:45:41 EST 2014

On (2014-02-18 10:36 -0600), Charles Spurgeon wrote:

> -------------------- 
> "After applying an NTP access-group to deny inbound NTP queries, a
> device still responds to NTP queries as if the ACL was not configured."
> --------------------

Does it also affect numbered ACL? For some reason NTP ACL were for many many
years only place where you needed numbered ACL, they didn't support named.

At any rate, platforms which implement proper CoPP, like 6500, there should be
no particular reason to have ability do filter NTP or restrict monlist. Your
CoPP should specifically allow NTP only to your upstream NTP server.

Even if NTP ACL would work, notion that you accept that untrusted NTP packets
hit your puny control-plane is clearly completely unaccapble.


More information about the cisco-nsp mailing list