Knowledge Search


×
 

NTP Mode 7 Denial-of-Service Vulnerability

  [JSA10416] Show Article Properties


Legacy Advisory Id:
PSN-2009-12-609
Product Affected:
All routers and switches running Junos with NTP server configured.
All DX Series Application Acceleration products with NTP server configured.
Problem:

On December 8, 2009, US-CERT published Vulnerability Note VU#568372 entitled, "NTP mode 7 denial-of-service vulnerability". Internal testing has determined that Junos routers and the DX Series are vulnerable to this spoofed NTP control message, causing error messages to be "ping ponged" back and forth between NTP servers. While the effect on the Junos RE is minimal and not service-affecting, Juniper Networks SIRT has logged PR 493591 to have this issue resolved in all non-EOL releases of Junos.
Solution:

The defect described above will be resolved in all supported releases of Junos, and in the next release of DX-OS. A fix for PR/493591 for Junos has already been coded and is being tested by JTAC. Once testing has been confirmed as successful, the fix will be merged through all non-EOE branches, and be made available in follow-on maintenance and services releases of Junos software.

Workaround:
  • Deny any NTP packet from outside the network to reach the infrastructure
    The only NTP packets coming into your network should be those which are time synchronization sources and NTP queries from customers of your network. Customers can be set up where they get NTP broadcast from the upstream router, which also reduces any need to allow for any NTP packets into the network. This "no NTP into the infrastructure unless explicitly configured" policy can be configured with infrastructure ACLs on the edge of your network or by using well known IP anti-spoofing techniques (IETF BCP 38).
  • Disable NTP server
    If NTP server functionality is not required, disabling the service is a viable and effective mitigation technique. This workaround is applicable to both Junos and DX-OS.
Status:
FINAL.

Please see PSN-2010-04-711 for the latest information regarding this vulnerability, including fix details.
Modification History:
Modification History:

2017-03-05: Category restructure.

Related Links:
Risk Level:
Medium
Risk Assessment:
The effect on the Junos RE is minimal and not service-affecting, although the added load on ntpd and logging may have a minor adverse effect on NTP service. The effect on DX Series Application Acceleration products is unknown at this time.

Implementing typical security BCPs to limit access to NTP services on the RE is strongly recommended.