[j-nsp] NTP Reflection
Jared Mauch
jared at puck.nether.net
Mon Jan 13 17:10:22 EST 2014
On Jan 13, 2014, at 4:25 PM, Richard A Steenbergen <ras at e-gerbil.net> wrote:
> Dear Juniper,
>
> Please tell me you didn't actually do this. Please tell me that I'm just
> missing something, and that you would never do something so insane. Did
> you guys REALLY ship code that automatically enables an NTP server that
> responds to the world, with no authentication or options to restrict
> access or commands, whenever someone configures the router to be an NTP
> client? Because that's sure what it looks like.
>
> The documentation on the subject is interesting too:
>
> http://www.juniper.net/techpubs/en_US/junos13.1/topics/task/configuration/network-time-protocol-time-server-time-services-configuring.html
>
> Configuring the Router or Switch to Operate in Client Mode:
> * Do something
>
> Configuring the Router or Switch to Operate in Server Mode:
> * Do the exact same thing
>
> Sigh... I'd be more disappointed, but hey it doesn't crash anything when
> someone uses your routers as an NTP reflection attack amplifier, so I
> suppose you can at least be proud of that.
>
> For anyone who doesn't know what I'm talking about, you might want to
> read:
>
> http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
> https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
>
> And then start making sure UDP/123 is blocked in your lo0 firewall
> filters.
I’ve not seen any way other than firewall filters to mitigate this traffic. There is a juniper “enhancement” pending to upgrade the NTP version.
- Jared
More information about the juniper-nsp
mailing list