topic Re: Filers vulnerable to NTP Reflection Attack in ONTAP Discussions

Filers vulnerable to NTP Reflection Attack

spenticoff — Thu, 05 Jun 2025 05:44:07 GMT

http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300

Our filers have been used in a large scale NTP reflection attack. I can not find any documentation on how to restrict or turn off monlist queries. options.timed doesn't seem to handle that part of the config

Any one have ideas?

Re: Filers vulnerable to NTP Reflection Attack

JGPSHNTAP — Tue, 04 Feb 2014 19:49:17 GMT

I don't have the slightest. I would encourage you to call support immediately and report back to us.

Re: Filers vulnerable to NTP Reflection Attack

aborzenkov — Wed, 05 Feb 2014 04:09:17 GMT

What Data ONTAP version? In 8.x you should be able to edit ntp configuration in diag shell.

And yes, it should be reported as soon as possible.

Re: Filers vulnerable to NTP Reflection Attack

DONSIZEMOREUNC — Wed, 12 Feb 2014 13:29:29 GMT

I asked NetApp support this same question, and they opened a BURT, 787469. No big deal to me but sorry to hear your filer was misused.

Re: Filers vulnerable to NTP Reflection Attack

aborzenkov — Wed, 12 Feb 2014 13:44:38 GMT

BURT is not public ☹

Re: Filers vulnerable to NTP Reflection Attack

spenticoff — Wed, 12 Feb 2014 18:32:39 GMT

Paraphrased from my support case,

Due to the way ONTAP works, there is no ntp.conf file and so the fix will have to be an ONTAP patch.
http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=787469

As a workaround either disable NTP until a fix is released, or block port 123/udp with a firewall.