Subscribe
Accepted Solution

How can you restrict NTP queries and prevent NTP reflection attacks?

http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks

https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300

Our filers are being used as part of a large scale NTP reflection attack, I can find no documentation on how to turn off monlist queries.
Any one here have any ideas?

Re: How can you restrict NTP queries and prevent NTP reflection attacks?

Are you seeing UDP traffic with a source port of 123 leaving your network to go to the internet? If so, configure an access control list on your network egress to disallow that.

Re: How can you restrict NTP queries and prevent NTP reflection attacks?

We don't operate the firewall, and that is a viable option, I was just looking for a netapp specific solution so I don't have to escalate.

Re: How can you restrict NTP queries and prevent NTP reflection attacks?

If you can create an internal NTP server (or two) it's best practice to use a few strategically placed internal NTP servers and point the rest of your infrastructure to there. You can then disable monlist on your external-facing NTP servers, it is easy in the Unix NTP server.

Re: How can you restrict NTP queries and prevent NTP reflection attacks?

Paraphrased from my support case,

Due to the way ONTAP works, there is no ntp.conf file and so the fix will have to be an ONTAP patch.
http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=787469

As a workaround either disable NTP until a fix is released, or block port 123/udp with a  firewall.

Re: How can you restrict NTP queries and prevent NTP reflection attacks?

We just received notification of Technical Support Bulletin - KB 7010104.  For cDOT the good news is there is a firewall in ONTAP.

Re: How can you restrict NTP queries and prevent NTP reflection attacks?

can you link to this bulletin?

I'm still in 7 mode but this is good news.