[j-nsp] NTP Reflection
Chris Adams
cma at cmadams.net
Mon Jan 13 17:07:33 EST 2014
Once upon a time, Richard A Steenbergen <ras at e-gerbil.net> said:
> Please tell me you didn't actually do this. Please tell me that I'm just
> missing something, and that you would never do something so insane. Did
> you guys REALLY ship code that automatically enables an NTP server that
> responds to the world, with no authentication or options to restrict
> access or commands, whenever someone configures the router to be an NTP
> client? Because that's sure what it looks like.
That is the case. A co-worker at my PPOE went through this last week;
an NTP reflection attack to a Juniper M10i OC-3 interface to the
Internet caused routing protocols to flap repeatedly because it
overloaded the RE (so not just participating in somebody else's DDoS but
also crippling the router).
This appears to be the case on all JUNOS routers and switches
(everything I tried anyway). "restrict default ignore" should be the
default, with an option to disable that or allow more remote devices to
monitor your NTP.
AFAIK the only current way to fix is it firewall filter on lo0 that
limits inbound UDP port 123 to be from your NTP servers (and monitoring
system, if you monitor NTP).
--
Chris Adams <cma at cmadams.net>
More information about the juniper-nsp
mailing list