Routing
Highlighted
Routing

MX-5T as a NTP server - CPU utilization 100%

‎01-06-2018 02:09 AM

Hi,

We have MX 5T router with VRRP configuration. Junos version 13.3R9.3

ISP link is directly terminated on MX. BGP configuration is there on MX

Recently we have configured MX as NTP server for our internal network devices. MX is syncying with global NTP server for update.

Internal network devices sync with MX router for time update.

We observed, CPU utiliztion high(100%) after enable NTP.

 

Kindly suggest how can i fix this issue.

Thank you...

 

 

2 REPLIES 2
Highlighted
Routing

Re: MX-5T as a NTP server - CPU utilization 100%

‎01-06-2018 02:28 AM

Hi Folks,

I am more interested to know, what is keeping the CPU busy. So please get the below data from the box.

 

1 HOUR with snapshot for every 5 seconds

top -s 5 -d 720 -n 100 >> /var/tmp/top.txt &

 

There is a security bulletin for NTP server amplification denial of service attack; however you Junos will have the fix for the same.

 

2014-07 Security Bulletin: Junos: NTP server amplification denial of service attack (CVE-2013-5211)

 

Do you have a loopback filter in your box?

 

If a possible attack has been identified, or if the NTP process is occupying a large amount of CPU or memory resources, the most effective mitigation is to apply a firewall filter to allow only trusted addresses and networks, plus the router's loopback address, access to the NTP service on the device, rejecting all other requests.  For example:

 

term allow-ntp {

    from {

        source-address {

            <trusted-addresses>;

            <router-loopback-address>;

        }

        protocol udp;

        port ntp;

    }

    then accept;

}

 

term block-ntp {

    from {

        protocol udp;

        port ntp;

    }

    then {

        discard;

    }

}

 

This term may be added  to the existing loopback interface filter as part of an overall control plane protection strategy.  In general, security best practices recommend having such a filter term, even during normal operation.

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Highlighted
Routing
Solution
Accepted by topic author Nik_MH
‎02-02-2018 10:37 PM

Re: MX-5T as a NTP server - CPU utilization 100%

‎01-06-2018 04:57 AM

Runt through the high cpu checklist to verify which process is responsible.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26261

 

If it is ntp then then a protect filter is likely needed.

general re protect filter

https://www.juniper.net/documentation/en_US/junos/topics/example/routing-stateless-firewall-filter-s...

 

ntp term article.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22637

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home