Re: Strange DDOS attack break all connections

Hi Folks,

Please refer to the below Security Bulletin,

2014-07 Security Bulletin: Junos: NTP server amplification denial of service attack (CVE-2013-5211)

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613&actp=METADATA

WORKAROUND:

If a possible attack has been identified, or if the NTP process is occupying a large amount of CPU or memory resources, the most effective mitigation is to apply a firewall filter to allow only trusted addresses and networks, plus the router's loopback address, access to the NTP service on the device, rejecting all other requests.  For example:

term allow-ntp {

    from {

        source-address {

            <trusted-addresses>;

            <router-loopback-address>;

        }

        protocol udp;

        port ntp;

    }

    then accept;

}

term block-ntp {

    from {

        protocol udp;

        port ntp;

    }

    then {

        discard;

    }

}

This term may be added  to the existing loopback interface filter as part of an overall control plane protection strategy.  In general, security best practices recommend having such a filter term, even during normal operation.

Also, note that the router loopback address must be included under the NTP allow term. If the loopback is not allowed, ‘show ntp’ commands will time out.

User@Router> show ntp status

localhost: timed out, nothing received

***Request timed out

Using the above filter allows only trusted sources to request the NTP service, but if you are interested in identifying the sources of unwanted NTP requests, add the 'log' action to the term block-ntp along with the 'discard' action.  For example:

term block-ntp {

    from {

        protocol udp;

        port ntp;

    }

    then {

        log;

        discard;

    }

}

If your trusted IPs are spoofed, then you will have to apply the 'log' action to the allow-ntp accept action as well. This will help in identifying misbehaving trusted sources as well.

term allow-ntp {

    from {

        source-address {

            <trusted-addresses>;

            <router-loopback-address>;

        }

        protocol udp;

        port ntp;

    }

    then {

        log;

        accept;

    }

}

Once you identify the source of unwanted NTP requests, take appropriate action to block them at the network perimete, and delete the 'log' action from the filter term.