Intrusion Prevention

 View Only
last person joined: 11 days ago 

Ask questions and share experiences on intrusion detection and prevention (IDP).
  • 1.  CVE-2013-5211 Remote NTP Server

    Posted 09-26-2022 06:23
    Hi.
    I want to ask about CVE-2013-5211 - description : The remote NTP server responds to mode 6 queries. Devices that respond
    to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit
    this, via a specially crafted mode 6 query, to cause a reflecteddenial of service condition.

    is there any  recommendation action about this vulnerability?

    Thansk You


    ------------------------------
    DENDHY GALIH
    ------------------------------


  • 2.  RE: CVE-2013-5211 Remote NTP Server

    Posted 09-26-2022 06:58
    By default Junos routing engine (RE) will act as a ntp server and accept all traffic.  To prevent this you need to apply a firewall filter to the loopback or management address of the device.

    A sample protect  RE filter can be found here for comprehensive all protocols.
    https://blog.interconnect.nl/juniper-ex-re

    If you only want to protect for ntp you would need to just make the ntp block and allow terms and change the final term to allow instead of discard or it will block your ssh access and other communications too.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: CVE-2013-5211 Remote NTP Server

    Posted 09-29-2022 03:19
      |   view attached
    Hi Spuluka.

    I Want to ask first, is the configuration correct or not?


    Any other solution?

    ------------------------------
    DENDHY GALIH
    ------------------------------



  • 4.  RE: CVE-2013-5211 Remote NTP Server

    Posted 09-30-2022 06:39
    That will be the term for the device making an request to an  NTP server.

    The term for the device itself responding to NTP requests will use destination port instead of source port.

    The allow would only be needed if other network devices use this one as the actual NTP server. If this is not the case a straight block is all that is needed.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------