NTP
- Ashish Khabde
Analytics
The following table lists the auto rules that are used to mitigate NTP attacks and to support security for NTP traffic on your advanced appliance. These rules include support for the following: NTP requests and responses, NTP IPv4 and IPv6 ACLs (Access Control Lists), private mode 7 packets, named ACLs, and “ANY” ACLs. For information about the parameters, see Overview of Packet Flow.
| Rule ID | Rule Type | Rule Name | Description | Enable/Disable Condition | Parameters | Comments |
|---|---|---|---|---|---|---|
| 130600100 | Auto | RATELIMIT PASS NTP TIME responses | When the NTP client is enabled, this rule passes UDP NTP TIME responses until the traffic hits the rate limit of 10 packets per second; it then blocks all NTP traffic for 15 seconds. | Enabled when NTP service is disabled on this member. | Packets per second (default = 10) Drop interval (default = 15 seconds) Events per second (default = 1) | |
| 130600120 | Auto | DROP NTP TIME responses | This rule drops all UDP NTP TIME responses when the NTP client is disabled. | Enabled when NTP service is disabled on this member. | Events per second (default = 1) | |
| 200001001 | Auto | DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02 | When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval. | Enabled when NTP service is disabled on this member. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001005 | Auto | DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03 | When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval. | Enabled when NTP service is disabled on this member. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001010 | Auto | DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02 | When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval. | Enabled when NTP service is disabled on this member. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001015 | Auto | DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03 | When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval. | Enabled when NTP service is disabled on this member. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001020 | Auto | DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02 | When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval. | Enabled when NTP service is disabled on this member. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001025 | Auto | DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03 | When the NTP server is enabled, this rule warns about possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03 attacks. It then blocks suspicious NTP traffic for a time period that is specified in Drop Interval. | Enabled when NTP service is disabled on this member. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001050 | Auto | RATELIMIT PASS NTPQ IPv4 requests | This rule passes UDP NTPQ requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTPQ traffic for a time specified in Drop Interval. | Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001055 | Auto | RATELIMIT PASS NTP TIME IPv4 requests | This rule passes UDP NTP TIME requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP TIME traffic for a time specified in Drop interval. | Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is enabled. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001060 | Auto | RATELIMIT PASS NTP private mode IPv4 requests | This rule passes UDP NTP private mode 7 requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP private mode 7 traffic for a time specified in Drop interval. | Enabled when NTP IPv4 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001065 | Auto | RATELIMIT PASS NTPQ IPv6 requests | This rule passes UDP NTPQ requests from NTP IPv6 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTPQ traffic for a time specified in Drop Interval. | Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001070 | Auto | RATELIMIT PASS NTP TIME IPv6 requests | This rule passes UDP NTP TIME requests from NTP IPv6 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP TIME traffic for a time specified in Drop interval. | Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is enabled. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001075 | Auto | RATELIMIT PASS NTP private mode IPv6 requests | This rule passes UDP NTP private mode 7 requests from NTP IPv4 ACLs until the traffic hits the rate limit (Packets per second) value. It then blocks all subsequent NTP private mode 7 traffic for a time specified in Drop interval. | Enabled when NTP IPv6 ACLs are defined. If no ACLs are defined and the NTP server is enabled, the default ACLs are enabled, and this rule is disabled. | Packets per second (default = 10) Drop interval (default = 15 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 200001100 | Auto | DROP NTPQ requests unexpected | When NTP service is disabled, this rule drops all UDP NTPQ requests. | Enabled when NTP service is disabled on this member. | Events per second (default = 1) | |
| 200001105 | Auto | DROP NTP TIME requests unexpected | When NTP service is disabled, this rule drops all UDP NTP TIME requests. | Enabled when NTP service is disabled on this member. | Events per second (default = 1) | |
| 200001110 | Auto | DROP NTP private mode requests unexpected | When NTP service is disabled, this rule drops all UDP NTP private mode 7 requests. | Enabled when NTP service is disabled on this member. | Events per second (default = 1) | |
| 200001115 | Auto | DROP invalid NTP requests | When NTP service is disabled, this rule drops all invalid UDP NTP requests. | Enabled when NTP service is disabled on this member. | Events per second (default = 1) |