Example – Protecting EX Series switches from unwanted NTP requests

Protecting-EX-Series-switches-from-unwanted-NTP-requests

If an EX Series switch receives unwanted Network Time Protocol (NTP) requests, it will be too busy to serve them. The NTP and Software Forwarding Infrastructure Daemon (SFID) processes will use too many resources, which could result in protocol flaps. This article describes the technical background, the symptoms, and the proper filter rule for the EX Series (except the EX9200).

An EX Series switch receives unwanted NTP requests, which could result in protocol flaps.

The NTP server in UNIX and Linux supports the monlist request feature. With this feature, you can request the NTP client list that the NTP server is serving. Recent versions of the NTP server only support this request from localhost. However, older versions of the NTP server allow this request not only from localhost but also from the remote client.

Users can see what information is provided by the request using the following command:

Hackers can use this feature to launch a UDP volume attack on the victim by:

  • Sending a small number and volume of request packets
  • Triggering a large number and volume of response packets toward the victim

This is an evolved form of DDoS attack, using an NTP feature without zombie.

Symptoms in EX Switches

1. The following log messages are observed:

2. Under a DDoS attack, the CPU utilization of sfid and ntpd will be high:

3. Even though the NTP configuration was removed, the CPU utilization of sfid is still high:

Differences Between EX and M/T/MX

1. The lo0 filter of EX does not cover the me0/vme interface. If the me0/vme is configured and used, the filter must be configured for me0/vme as well.

2. The lo0 filter does not affect communication between lo0 and lo0.  However, the EX Series (except EX9200) works differently from the other platforms.

There was no problem when tested in EX8208 with 11.4R8.5 and 12.3R4.6, even without any accept rule for the IP address of the lo0 interface for the lo0 filter. The lo0 filter mechanism of the EX Series is different from that of the other platforms.

3. The EX Series does not support the port matching condition.

  • EX CLI allows the port matching condition entered in the firewall filter as a hidden command but it does not work. This confuses operators.
  • “Commit” does not show any warning or error, only the show command displays a warning such as the following:
In many cases, however, switch operators prefer to use the command show | display set, which does not show the warning.

Recommended Filter Rule Set

Add these firewall filter terms to the lo0 interface filter and also to the me0/vme interface filter, if it is configured.

Future Enhancement for this Issue

From Junos OS:
11.4R12, 12.1R10, 12.2R8, 12.3R2-S9, 12.3R3-S10, 12.3R7,
13.1R4-S2, 13.1R5, 13.2R4, 13.3R2, 14.1R1, 14.2R1, 15.1R1,
12.1X44-D35, 12.1X45-D25, 12.1X46-D15, 12.1X46-D20, 12.1X47-D10,
13.1X49-D42, 13.1X50-D30, 13.2X50-D20, 13.2X51-D25, 13.2X52-D20

  • NTPd will be upgraded to 4.2.7p26 or later
  • monlist response will be disabled by NTPd
  • CLI knob for restricting response to NTP control packets will be introduced

Thus the above firewall filter will not be necessary in the future, but for now, it is mandatory in case switches have a public IP address.

 

About the author

Prasanna

1 Comment

Leave a Comment