On Jan 13, 2014, at 4:25 PM, Richard A Steenbergen <r...@e-gerbil.net> wrote:
> Dear Juniper, > > Please tell me you didn't actually do this. Please tell me that I'm just > missing something, and that you would never do something so insane. Did > you guys REALLY ship code that automatically enables an NTP server that > responds to the world, with no authentication or options to restrict > access or commands, whenever someone configures the router to be an NTP > client? Because that's sure what it looks like. > > The documentation on the subject is interesting too: > > http://www.juniper.net/techpubs/en_US/junos13.1/topics/task/configuration/network-time-protocol-time-server-time-services-configuring.html > > Configuring the Router or Switch to Operate in Client Mode: > * Do something > > Configuring the Router or Switch to Operate in Server Mode: > * Do the exact same thing > > Sigh... I'd be more disappointed, but hey it doesn't crash anything when > someone uses your routers as an NTP reflection attack amplifier, so I > suppose you can at least be proud of that. > > For anyone who doesn't know what I'm talking about, you might want to > read: > > http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks > https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300 > > And then start making sure UDP/123 is blocked in your lo0 firewall > filters. I’ve not seen any way other than firewall filters to mitigate this traffic. There is a juniper “enhancement” pending to upgrade the NTP version. - Jared _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp