Routing

last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  MX-5T as a NTP server - CPU utilization 100%

    Posted 01-06-2018 02:10

    Hi,

    We have MX 5T router with VRRP configuration. Junos version 13.3R9.3

    ISP link is directly terminated on MX. BGP configuration is there on MX

    Recently we have configured MX as NTP server for our internal network devices. MX is syncying with global NTP server for update.

    Internal network devices sync with MX router for time update.

    We observed, CPU utiliztion high(100%) after enable NTP.

     

    Kindly suggest how can i fix this issue.

    Thank you...

     

     



  • 2.  RE: MX-5T as a NTP server - CPU utilization 100%

     
    Posted 01-06-2018 02:29

    Hi Folks,

    I am more interested to know, what is keeping the CPU busy. So please get the below data from the box.

     

    1 HOUR with snapshot for every 5 seconds

    top -s 5 -d 720 -n 100 >> /var/tmp/top.txt &

     

    There is a security bulletin for NTP server amplification denial of service attack; however you Junos will have the fix for the same.

     

    2014-07 Security Bulletin: Junos: NTP server amplification denial of service attack (CVE-2013-5211)

     

    Do you have a loopback filter in your box?

     

    If a possible attack has been identified, or if the NTP process is occupying a large amount of CPU or memory resources, the most effective mitigation is to apply a firewall filter to allow only trusted addresses and networks, plus the router's loopback address, access to the NTP service on the device, rejecting all other requests.  For example:

     

    term allow-ntp {

        from {

            source-address {

                <trusted-addresses>;

                <router-loopback-address>;

            }

            protocol udp;

            port ntp;

        }

        then accept;

    }

     

    term block-ntp {

        from {

            protocol udp;

            port ntp;

        }

        then {

            discard;

        }

    }

     

    This term may be added  to the existing loopback interface filter as part of an overall control plane protection strategy.  In general, security best practices recommend having such a filter term, even during normal operation.



  • 3.  RE: MX-5T as a NTP server - CPU utilization 100%
    Best Answer

    Posted 01-06-2018 04:57

    Runt through the high cpu checklist to verify which process is responsible.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB26261

     

    If it is ntp then then a protect filter is likely needed.

    general re protect filter

    https://www.juniper.net/documentation/en_US/junos/topics/example/routing-stateless-firewall-filter-security-protect-against-tcp-and-icmp-flood-configuring.html

     

    ntp term article.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB22637