NTP based DOS attacks

vlagrott · August 6, 2018, 11:17am

Hi,

I have a 3560CX switch running the latest firmware. Prior to the latest, the switch ran into a vulnerability where it says NTP Mode Control 6 (It’s set my default) need to be changed to ‘no ntp allow mode control’. I am not sure how long ago on the firmware it required me to do that. Now I need to enforce a 3-second rate control mechanism to protect the switch from NTP based DOS attacks. Do I just enter ‘ntp allow mode control 3’? Is that now the default for the latest firmware? Thank you, Vincent

ReneMolenaar · August 15, 2018, 11:23am

Hi Vincent,

I checked a 3850 switch running an image from February 2018 and the default seems to be 3 seconds:

SW5#show version | include Version
Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.6, RELEASE SOFTWARE (fc3)

You should use ntp mode control btw, that’s how you rate-limit NTP. If you use no ntp allow mode control then you disable rate-limiting.

Rene