NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

ONTAP Discussions

Filers vulnerable to NTP Reflection Attack

spenticoff
9,584 Views

http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300

Our filers have been used in a large scale NTP reflection attack. I can not find any documentation on how to restrict or turn off monlist queries.  options.timed doesn't seem to handle that part of the config

Any one have ideas?

1 ACCEPTED SOLUTION

spenticoff
9,584 Views

Paraphrased from my support case,

Due to the way ONTAP works, there is no ntp.conf file and so the fix will have to be an ONTAP patch.
http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=787469

As a workaround either disable NTP until a fix is released, or block port 123/udp with a  firewall.

View solution in original post

5 REPLIES 5

JGPSHNTAP
9,584 Views

I don't have the slightest.  I would encourage you to call support immediately and report back to us. 

aborzenkov
9,584 Views

What Data ONTAP version? In 8.x you should be able to edit ntp configuration in diag shell.

And yes, it should be reported as soon as possible.

DONSIZEMOREUNC
9,584 Views

I asked NetApp support this same question, and they opened a BURT, 787469.  No big deal to me but sorry to hear your filer was misused.

aborzenkov
9,584 Views

BURT is not public ☹

spenticoff
9,585 Views

Paraphrased from my support case,

Due to the way ONTAP works, there is no ntp.conf file and so the fix will have to be an ONTAP patch.
http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=787469

As a workaround either disable NTP until a fix is released, or block port 123/udp with a  firewall.

Public