Junos
Junos

Loopback filter not filtering (MX960)

10.06.17   |  
2 weeks ago

I'm seeing NTP traffic reach the RE and NOT be blocked by the applied loopback filter.

 

There is a loopback filter applied, inbound. The first term matches all UDP port 123 and logs&syslogs, then next terms. The logs and syslogs show normal authorized NTP traffic. They also show bad guys port scanning. Both as you would expect.

 

I also get this in the log files, which indicates to me that NTP on the MX is trying to talk to host in China:

xntpd: sendto(AA.BB.CC.DD): No route to host

So ... something reached NTP and made it try to talk back. But there is no log/syslog indicating a packet. 

 

Any ideas?

 

 

 

(and I'm as certain as one can be that the filter is correct, and correctly applied to the loop interface on the MX.)

7 REPLIES
Junos

Re: Loopback filter not filtering (MX960)

10.09.17   |  
2 weeks ago

Can you share the filter config?

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Junos

Re: Loopback filter not filtering (MX960)

10.09.17   |  
2 weeks ago

Hi,

 

Please refer to best practices document on configuring lo0 filter.

 

https://kb.juniper.net/TN226

 

Also can you confirm if you are using following term to allow NTP?

 

term Allow-NTP {
    from {
        source-address {
            x.x.x.x;
        }
        protocol udp;
        port ntp;
    }
    then accept;

 

Also you may want to check the route for AA.BB.CC.DD and figure out the outgoing interface and do a tcpdump on that interface to check what NTP packets are received?

 

monitor traffic interface <interface name> matching "udp port 123"

 

Thanks

 

Hope this helps

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------

 

Junos

Re: Loopback filter not filtering (MX960)

10.10.17   |  
a week ago

I'll warn you in advance; this is a non-trivial issue.

 

I appreciate the responses, and have attached the loop and first term of the filter. Note, again, the complete lack of the "suspect" IP in the logs, other than the xntpd no route to host. IE: logging NTP as the first term DOES log the authorized NTP servers, and it also logs scanning. But it des NOT log the IP's from the xntpd log message. 

 

A traffic monitor matching udp 123 has been performed on the suspected input interfaces and was active during one of the xntpd log messages ... but showed nothing.

 

I don't get it. It should not be possible for term 1 to be a syslog AND a packet process through the filter without a log message. 

 

 

 

lo0 {        unit 0 {
            description REMOVED
            family inet {
                filter {
                    input loopback-in; }
                address REMOVED/32 {
                preferred; }
                

filter loopback-in {
            term log-ntp {
                from {
                    protocol [ udp tcp ];
                    port 123; }          
                then {
                    log;
                    syslog;
                    next term; } }
          

 

 

 

Junos

Re: Loopback filter not filtering (MX960)

10.11.17   |  
a week ago

Hello,

A few questions if I may:

1/ can You reveal at least the 1st byte of alleged "Chinese" IP please? AFAIK, MX internally uses IP addresses from 20/8 and 128/8 blocks so what You see in the logs may be internally-generated/self-generated NTP traffic.

2/ can You correlate the alleged "Chinese" IP appearing in the syslog with any NTP-related JUNOS CLI commands execution? Such as "show ntp <whatever>"  or "set date ntp" ?

3/ do You use FQDN to specify NTP server/peer in the configuration?

HTH

Thx
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Junos

Re: Loopback filter not filtering (MX960)

10.11.17   |  
a week ago

1. The first byte is 180.

 

2. No, I can't correlate this to the CLI. Or, rather, I tried and didn't find anything. There are no commands at/around the time of this message. I would also note that I've followed this line of inquiry. For example, we assume this is in response to a packet coming in through the filter, an NTP packet. But what if some other stimuli is causing the router to do this? CLI, ping, traceroute, multicast, etc. I know, it doesn't make sense. This problem is beyond making sense. 

 

3. No, no FQDN, the ip numbers are used.

 

 

 

As I indicated, this problem is non-trivial.

 

Any nore ideas?

Highlighted
Junos

Re: Loopback filter not filtering (MX960)

10.11.17   |  
a week ago

Ok, fine. Moving on:

4/ Do You have internet in a VRF, by any chance? 

5/ if yes, does this "Internet VRF" have own loopback unit that has a different input filter assigned, or no filter at all?

6/ how "show route <that alleged Chinese IP>/32" printout looks like on Your MX? Please post it here in its entirety.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Junos

Re: Loopback filter not filtering (MX960)

10.12.17   |  
a week ago

4) You mean commodity? I don't carry full routes, only about 50%. I've got inet.0 and two vrfs.

 

5) All vrf loops have the exact same filter applied.

 

6) I've edited the output. I''m receiving four in the first, and two in the other two. Can you help me understand the relevency of your question?

 

 

..................> show route 180....

table1.inet.0: 301937 destinations, 1137349 routes (301937 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

180..../11      

table2.inet.0: 31 destinations, 32 routes (31 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0          ...
table3.inet.0: 307470 destinations, 1375788 routes (307198 active, 0 holddown, 198151 hidden) + = Active Route, - = Last Active, * = Both 180...../11      ...