[c-nsp] NTP DDoS

Gert Doering gert at greenie.muc.de
Tue Feb 18 12:46:01 EST 2014


On Tue, Feb 18, 2014 at 10:36:44AM -0600, Charles Spurgeon wrote:
> BTW, our attempts to filter NTP on 6500s running 15.1(1)SY1 and
> 15.1(2)SY1 IOS code have been unsuccessful due to bug CSCuj66318:
> -------------------- 
> "After applying an NTP access-group to deny inbound NTP queries, a
> device still responds to NTP queries as if the ACL was not configured."
> --------------------
> The bugID states that it only affects 15.2 code, but it also affects
> 15.1. This also affects 15.1 code on 4500s and 15.2 code on 3560s.

There is weirdness in the "new NTP" code...

I recently tried to change our NTP server's IP address, using the 
following config fragment:

   ntp server n.e.w.ip
   no ntp server o.l.d.ip

and "rcp config.cf $device:running-config" that to the devices in question
(before you yell at me: this is what works on *all* IOS versions, and there
are sufficient ACLs around this that it cannot be abused remotely - and if 
someone manages to sniff my management LAN, I have far worse problems).

Now, this works on every Cisco in the world - except on those of our switches 
that have 12.2(58)SE1/12.2(58)SE2.  On those, it will happily remove the
old IP, but refuse to add a new one.

Only via rcp, of course.  

If I paste the config snipped into "conf term", it works perfectly well...

(It also works on 15.1SY, so my NTP weirdness is not your NTP weirdness).

No, I'm not going to explain to TAC what this "ip rcmd" stuff is.  Been
there, got nowhere.


USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140218/373f7d2a/attachment.sig>

More information about the cisco-nsp mailing list