NTP Profile
Use the NTP Profile to configure various NTP Anomaly and ACL parameters. An NTP Profile should be used for ALL SPPs. NTP Reflection Floods are used against all types of targets, whether you host NTP, are using NTP or not.
Note: Some NTP Parameters as detailed below, cannot be used in asymmetric traffic environments. Use NTP Thresholds when you cannot use these NTP parameters.
The same NTP Profile can be used by multiple SPPs but any SPP can only use one NTP profile at a time.
You can create a maximum of 64 NTP Profiles.
Field/Selection |
Description |
Recommendations |
||
---|---|---|---|---|
Detection Mode |
Prevention Mode |
|||
Symmetric Traffic |
Asymmetric Traffic |
|||
Name | 1-35 characters (a-Z, 0-9, "-", "_" only) | |||
Data Length Anomaly Check | Each NTP version has a specified maximum data length in the Query or Response. FortiDDoS will match the actual data length to the defined data length for the identified Version and drop any packet that does match correctly. | Enable | ||
Stratum Anomaly Check | NTP includes Stratum information to describe the accuracy of the server clock. The RFC supports 0-15 “stratum” but the Stratum field allows 256. Any number above 15 is an anomaly and will be dropped. In addition, if the Stratum is 2 or greater a Reference ID must be included in the request and response. If it is not included, it will be dropped. | Enable | ||
Version Anomaly Check | NTP Version must be between 1 and 4. If the Version is 1, then the Mode must be 0. | Enable | ||
Control Header Anomalies Check |
FortiDDoS monitors 9 different Control header anomalies
|
Normally, this anomaly can be enabled for all conditions. However if you are hosting an NTP server, you many need to disable this option. Enable and monitor during Learning/ Detection and evaluate the number of events and drops in both directions. If unsure contact Fortinet Support. | ||
Retransmission Check |
If multiple identical Requests are seen before a Response is seen subsequent identical Requests are dropped. Note: This feature will not work where there is asymmetric traffic and FortiDDoS may not see all Responses. Disable this feature if FortiDDoS is in Asymmetric Mode. |
Disable if asymmetric traffic. Use NTP Query and Response Thresholds. | ||
Sequence Mismatch Check |
Detects header Sequence number errors in Queries and Responses. Note: This feature will not work where there is asymmetric traffic and FortiDDoS may not see all Responses. |
|||
Unsolicited Response Check |
FortiDDoS records all passing NTP Requests. When a matching NTP Response is seen the record is cleared. If an NTP Response has seen that was not Requested, it is “unsolicited” and dropped immediately. Note: This feature mitigates NTP Reflected Response Floods from the first packet, without the requirement for a Response Threshold. However, this feature will not work where there is asymmetric traffic and FortiDDoS may not see all Requests or Responses. If the system is in Asymmetric Mode, disable this feature and use Response Threshold below. |
|||
Mode Mismatch Check |
Some Modes must be different in the Client Query and Server Response while some Modes are the same for both. FortiDDoS monitors valid combinations and if any are invalid, that packet will be dropped. The only valid Mode pairs for Requests/Responses are 1/2, 3/4, 6/6 or 7/7. Note: Mode Mismatch (MM) is like Unsolicited Response, working only with symmetric traffic. If FortiDDoS is in Asymmetric Mode, disable this feature. |
|||
Reflection Deny |
No parameters. If you enable Reflection Deny, you are creating a rule to deny NTP Mode 7 and NTP Mode 6 packets in Queries and Responses. These packets are not needed and are frequently abused to create reflected, amplified NTP DDoS attacks. |
Enable |