[j-nsp] NTP Reflection

Jared Mauch jared at puck.nether.net
Mon Jan 13 17:10:22 EST 2014


On Jan 13, 2014, at 4:25 PM, Richard A Steenbergen <ras at e-gerbil.net> wrote:

> Dear Juniper,
> 
> Please tell me you didn't actually do this. Please tell me that I'm just 
> missing something, and that you would never do something so insane. Did 
> you guys REALLY ship code that automatically enables an NTP server that 
> responds to the world, with no authentication or options to restrict 
> access or commands, whenever someone configures the router to be an NTP 
> client? Because that's sure what it looks like.
> 
> The documentation on the subject is interesting too:
> 
> http://www.juniper.net/techpubs/en_US/junos13.1/topics/task/configuration/network-time-protocol-time-server-time-services-configuring.html
> 
> Configuring the Router or Switch to Operate in Client Mode:
> * Do something
> 
> Configuring the Router or Switch to Operate in Server Mode:
> * Do the exact same thing
> 
> Sigh... I'd be more disappointed, but hey it doesn't crash anything when 
> someone uses your routers as an NTP reflection attack amplifier, so I 
> suppose you can at least be proud of that.
> 
> For anyone who doesn't know what I'm talking about, you might want to 
> read:
> 
> http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
> https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
> 
> And then start making sure UDP/123 is blocked in your lo0 firewall 
> filters.

I’ve not seen any way other than firewall filters to mitigate this traffic.  There is a juniper “enhancement” pending to upgrade the NTP version.

- Jared


More information about the juniper-nsp mailing list