Once upon a time, Richard A Steenbergen <r...@e-gerbil.net> said: > Please tell me you didn't actually do this. Please tell me that I'm just > missing something, and that you would never do something so insane. Did > you guys REALLY ship code that automatically enables an NTP server that > responds to the world, with no authentication or options to restrict > access or commands, whenever someone configures the router to be an NTP > client? Because that's sure what it looks like.
That is the case. A co-worker at my PPOE went through this last week; an NTP reflection attack to a Juniper M10i OC-3 interface to the Internet caused routing protocols to flap repeatedly because it overloaded the RE (so not just participating in somebody else's DDoS but also crippling the router). This appears to be the case on all JUNOS routers and switches (everything I tried anyway). "restrict default ignore" should be the default, with an option to disable that or allow more remote devices to monitor your NTP. AFAIK the only current way to fix is it firewall filter on lo0 that limits inbound UDP port 123 to be from your NTP servers (and monitoring system, if you monitor NTP). -- Chris Adams <c...@cmadams.net> _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
