Juniper NTP and Protecting the Routing Engine

By default your Juniper device will respond to NTP request.  This is bad for two reasons.  One.  Your router can now be used for a NTP reflection attack.  Two.  During this NTP reflection attack your routing engine will run out of resources and stop processing truly important things like BGP, OSPF, VRRP, and (insert protocol of choice).

Enabling NTP is easy.

set system ntp server 192.168.1.50
set system ntp server 192.168.1.51

Ta Da!  But now your router is also an NTP server available to be used, or most likely, abused by anyone.

Protecting the routing engine is slightly more complex than enabling NTP as there are a few variables to consider.

If you are using the command ‘set system ntp source-address 192.168.1.1’ this source address must be allowed by the firewall filter so the router can query itself when the ‘show ntp…’ commands are used.  If you are not specifying a specific source address the routers loopback address must allowed by the firewall filter so the router can query itself.

Using a specific source address.

Note that the prefix-list used in the firewall includes the router’s specified ntp source address.

 

NTP

set system ntp server 192.168.1.50
set system ntp server 192.168.1.51
set system ntp source-address 192.168.1.1

Prefix list of valid NTP servers

set policy-options prefix-list ntp-servers 192.168.1.50/32
set policy-options prefix-list ntp-servers 192.168.1.51/32
set policy-options prefix-list ntp-servers 192.168.1.1/32

Loopback interface

set interfaces lo0 unit 0 family inet filter input protect-re
set interfaces lo0 unit 0 family inet address 1.1.1.1/32

Firewall filter

set firewall family inet filter protect-re term allow-ntp from source-prefix-list ntp-servers
set firewall family inet filter protect-re term allow-ntp from protocol udp
set firewall family inet filter protect-re term allow-ntp from port ntp
set firewall family inet filter protect-re term allow-ntp then accept
set firewall family inet filter protect-re term block-ntp from protocol udp
set firewall family inet filter protect-re term block-ntp from port ntp
set firewall family inet filter protect-re term block-ntp then count blocked-ntp
set firewall family inet filter protect-re term block-ntp then discard
set firewall family inet filter protect-re term allow-all then accept

Not using a specific source address.

Note that the prefix-list used in the firewall includes the router’s loopback address.

NTP

set system ntp server 192.168.1.50
set system ntp server 192.168.1.51

Prefix list of valid NTP servers

set policy-options prefix-list ntp-servers 192.168.1.50/32
set policy-options prefix-list ntp-servers 192.168.1.51/32
set policy-options prefix-list ntp-servers 1.1.1.1/32

The loopback interface and firewall filter remain the same.  More information  can be found in Juniper’s knowledge base.

Update:  Logging of the dropped packets will also cause excessive Routing Engine processing.

Leave a Reply

Your email address will not be published. Required fields are marked *