ONTAP Discussions

How can you restrict NTP queries and prevent NTP reflection attacks?

spenticoff
28,044 Views

http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks

https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300

Our filers are being used as part of a large scale NTP reflection attack, I can find no documentation on how to turn off monlist queries.
Any one here have any ideas?

1 ACCEPTED SOLUTION

spenticoff
28,044 Views

Paraphrased from my support case,

Due to the way ONTAP works, there is no ntp.conf file and so the fix will have to be an ONTAP patch.
http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=787469

As a workaround either disable NTP until a fix is released, or block port 123/udp with a  firewall.

View solution in original post

6 REPLIES 6

ostiguy
28,044 Views

Are you seeing UDP traffic with a source port of 123 leaving your network to go to the internet? If so, configure an access control list on your network egress to disallow that.

spenticoff
28,044 Views

We don't operate the firewall, and that is a viable option, I was just looking for a netapp specific solution so I don't have to escalate.

WSANDERSATFLEXERA
28,044 Views

If you can create an internal NTP server (or two) it's best practice to use a few strategically placed internal NTP servers and point the rest of your infrastructure to there. You can then disable monlist on your external-facing NTP servers, it is easy in the Unix NTP server.

spenticoff
28,045 Views

Paraphrased from my support case,

Due to the way ONTAP works, there is no ntp.conf file and so the fix will have to be an ONTAP patch.
http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=787469

As a workaround either disable NTP until a fix is released, or block port 123/udp with a  firewall.

scottgelb
28,044 Views

We just received notification of Technical Support Bulletin - KB 7010104.  For cDOT the good news is there is a firewall in ONTAP.

spenticoff
28,044 Views

can you link to this bulletin?

I'm still in 7 mode but this is good news.

Public