[j-nsp] NTP Reflection

Richard A Steenbergen ras at e-gerbil.net
Mon Jan 13 16:25:19 EST 2014


Dear Juniper,

Please tell me you didn't actually do this. Please tell me that I'm just 
missing something, and that you would never do something so insane. Did 
you guys REALLY ship code that automatically enables an NTP server that 
responds to the world, with no authentication or options to restrict 
access or commands, whenever someone configures the router to be an NTP 
client? Because that's sure what it looks like.

The documentation on the subject is interesting too:

http://www.juniper.net/techpubs/en_US/junos13.1/topics/task/configuration/network-time-protocol-time-server-time-services-configuring.html

Configuring the Router or Switch to Operate in Client Mode:
* Do something

Configuring the Router or Switch to Operate in Server Mode:
* Do the exact same thing

Sigh... I'd be more disappointed, but hey it doesn't crash anything when 
someone uses your routers as an NTP reflection attack amplifier, so I 
suppose you can at least be proud of that.

For anyone who doesn't know what I'm talking about, you might want to 
read:

http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300

And then start making sure UDP/123 is blocked in your lo0 firewall 
filters.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list