Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Updated: NTP Mode 7 Denial-of-Service Vulnerability (VU#568372)



Article ID: JSA10433 SECURITY_ADVISORIES Last Updated: 05 Mar 2017Version: 2.0
Legacy Advisory Id:
Product Affected:
All JUNOS devices with NTP server enabled.
This is an update to previously published PSN-2009-12-609.

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address which is not listed in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will reply with a mode 7 error response (and log a message). Given this intended functionality:
  • If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.
  • If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, A will respond to itself endlessly, consuming CPU and logging excessively.
This issue is being tracked as PR 493591. While this PR is not viewable by customers, it can be used as a reference when discussing the issue with JTAC.
All JUNOS software releases built on or after January 9, 2010, have been updated to resolve this issue. Releases containing the enhancement specifically include: 8.5S6, 9.0S3, 9.1S8, 9.3S8, 9.6S4, 10.0S3, 10.1R1, and all subsequent releases.

  • Deny any NTP packet from outside the network to reach the infrastructure
    The only NTP packets coming into your network should be those which are time synchronization sources and NTP queries from customers of your network. Customers can be set up where they get NTP broadcast from the upstream router, which also reduces any need to allow for any NTP packets into the network. This "no NTP into the infrastructure unless explicitly configured" policy can be configured with infrastructure ACLs on the edge of your network or by using well known IP anti-spoofing techniques (IETF BCP 38).

  • Disable NTP server
    If NTP server functionality is not required, disabling the service is a viable and effective mitigation technique. This workaround is applicable to both Junos and DX-OS.

How to obtain Service Releases:

Security vulnerabilities are fixed in the next available Maintenance Release of each supported JUNOS version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory notices will indicate which Maintenance and/or Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
Modification History:
Modification History:

2017-03-05: Category restructure.

CVSS Score:
5 (AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:W/RC:C)
Severity Level:
Severity Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories" available in the Related Links section above.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search