SLES 11 server generating a lot of traffic and responding sluggish - NTP Reflection

This document (7014543) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
NTP

Situation

The server all of a sudden is generating a lot of traffic on the wire and is slow to respond.

Resolution

The solution is to harden the NTP configuration by using the "restrict" NTP option in the /etc/ntp.conf.

Here is the syntax:  restrict address[mask mask] [flag][...]

For example: If you want to restrict access from the 10.0.0.0/8 subnet you would add the following line:
restrict 10.0.0.0 255.0.0.0 noquery

If you want to completely harden NTP, use the following lines: (This is the recommended solution)

restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

This will not affect Time Synchronization.

Cause

This issue is caused by a malicious NTP Reflection Attack.

For example a LAN trace taken on the sluggish server might show a lot of NTP traffic with one or more remote clients sending NTP requests with code:

MON_GETLIST_1 (42)

This will cause NTP on the server to send a lot of data back to the clients.

If this is done multiple times a second, from one or more devices, it can cause the NTP daemon to use excessive amounts up CPU cycles.

Additional Information

Customers can review the following information if they want to ensure that their unique environment is protected.
http://support.ntp.org/bin/view/Support/AccessRestrictions

See Security issues with NTP at: http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html
VUL-0: CVE-2013-5211 is the specific issue described above.
Using the restrict -4 default kod nomodify notrap nopeer noquery and restrict -6 default kod nomodify notrap nopeer noquery configuration options hardens NTP against other security issues mentioned at the link above.

There is a lot of information out there on these issues.  Here are a few examples:

http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks

https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks

http://www.kb.cert.org/vuls/id/348126


NTP version 4.2.7 addresses these issues but it is still marked as Development.
As of the creation of this document the latest "Stable" or "Production" code is being shipped.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014543
  • Creation Date: 11-Feb-2014
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center