Fortinet white logo
Fortinet white logo

Handbook

NTP Profile

NTP Profile

Use the NTP Profile to configure various NTP Anomaly and ACL parameters. An NTP Profile should be used for ALL SPPs. NTP Reflection Floods are used against all types of targets, whether you host NTP, are using NTP or not.

Note: Some NTP Parameters as detailed below, cannot be used in asymmetric traffic environments. Use NTP Thresholds when you cannot use these NTP parameters.

The same NTP Profile can be used by multiple SPPs but any SPP can only use one NTP profile at a time.

You can create a maximum of 64 NTP Profiles.

Field/Selection

Description

Recommendations

Detection Mode

Prevention Mode

Symmetric Traffic

Asymmetric Traffic

Name 1-35 characters (a-Z, 0-9, "-", "_" only)
Data Length Anomaly Check Each NTP version has a specified maximum data length in the Query or Response. FortiDDoS will match the actual data length to the defined data length for the identified Version and drop any packet that does match correctly. Enable
Stratum Anomaly Check NTP includes Stratum information to describe the accuracy of the server clock. The RFC supports 0-15 “stratum” but the Stratum field allows 256. Any number above 15 is an anomaly and will be dropped. In addition, if the Stratum is 2 or greater a Reference ID must be included in the request and response. If it is not included, it will be dropped. Enable
Version Anomaly Check NTP Version must be between 1 and 4. If the Version is 1, then the Mode must be 0. Enable
Control Header Anomalies Check

FortiDDoS monitors 9 different Control header anomalies

  • Request LEAP INDICATOR as zero
  • Request with ERROR or MORE bits set
  • Request with non-zero OFFSET
  • Request with reserved OPCODE ( >7).
  • Response with COUNT value as 0
  • Fragmented error response (E=1 and M=1)
  • First response with M=1 with non-zero OFFSET
  • Response with reserved STATUS values( >7)
Normally, this anomaly can be enabled for all conditions. However if you are hosting an NTP server, you many need to disable this option. Enable and monitor during Learning/ Detection and evaluate the number of events and drops in both directions. If unsure contact Fortinet Support.
Retransmission Check

If multiple identical Requests are seen before a Response is seen subsequent identical Requests are dropped.

Note: This feature will not work where there is asymmetric traffic and FortiDDoS may not see all Responses. Disable this feature if FortiDDoS is in Asymmetric Mode.

Disable if asymmetric traffic. Use NTP Query and Response Thresholds.
Sequence Mismatch Check

Detects header Sequence number errors in Queries and Responses.

Note: This feature will not work where there is asymmetric traffic and FortiDDoS may not see all Responses.

Unsolicited Response Check

FortiDDoS records all passing NTP Requests. When a matching NTP Response is seen the record is cleared. If an NTP Response has seen that was not Requested, it is “unsolicited” and dropped immediately.

Note: This feature mitigates NTP Reflected Response Floods from the first packet, without the requirement for a Response Threshold. However, this feature will not work where there is asymmetric traffic and FortiDDoS may not see all Requests or Responses. If the system is in Asymmetric Mode, disable this feature and use Response Threshold below.

Mode Mismatch Check

Some Modes must be different in the Client Query and Server Response while some Modes are the same for both. FortiDDoS monitors valid combinations and if any are invalid, that packet will be dropped. The only valid Mode pairs for Requests/Responses are 1/2, 3/4, 6/6 or 7/7.

Note: Mode Mismatch (MM) is like Unsolicited Response, working only with symmetric traffic. If FortiDDoS is in Asymmetric Mode, disable this feature.

Reflection Deny

No parameters. If you enable Reflection Deny, you are creating a rule to deny NTP Mode 7 and NTP Mode 6 packets in Queries and Responses. These packets are not needed and are frequently abused to create reflected, amplified NTP DDoS attacks.

Enable

NTP Profile

NTP Profile

Use the NTP Profile to configure various NTP Anomaly and ACL parameters. An NTP Profile should be used for ALL SPPs. NTP Reflection Floods are used against all types of targets, whether you host NTP, are using NTP or not.

Note: Some NTP Parameters as detailed below, cannot be used in asymmetric traffic environments. Use NTP Thresholds when you cannot use these NTP parameters.

The same NTP Profile can be used by multiple SPPs but any SPP can only use one NTP profile at a time.

You can create a maximum of 64 NTP Profiles.

Field/Selection

Description

Recommendations

Detection Mode

Prevention Mode

Symmetric Traffic

Asymmetric Traffic

Name 1-35 characters (a-Z, 0-9, "-", "_" only)
Data Length Anomaly Check Each NTP version has a specified maximum data length in the Query or Response. FortiDDoS will match the actual data length to the defined data length for the identified Version and drop any packet that does match correctly. Enable
Stratum Anomaly Check NTP includes Stratum information to describe the accuracy of the server clock. The RFC supports 0-15 “stratum” but the Stratum field allows 256. Any number above 15 is an anomaly and will be dropped. In addition, if the Stratum is 2 or greater a Reference ID must be included in the request and response. If it is not included, it will be dropped. Enable
Version Anomaly Check NTP Version must be between 1 and 4. If the Version is 1, then the Mode must be 0. Enable
Control Header Anomalies Check

FortiDDoS monitors 9 different Control header anomalies

  • Request LEAP INDICATOR as zero
  • Request with ERROR or MORE bits set
  • Request with non-zero OFFSET
  • Request with reserved OPCODE ( >7).
  • Response with COUNT value as 0
  • Fragmented error response (E=1 and M=1)
  • First response with M=1 with non-zero OFFSET
  • Response with reserved STATUS values( >7)
Normally, this anomaly can be enabled for all conditions. However if you are hosting an NTP server, you many need to disable this option. Enable and monitor during Learning/ Detection and evaluate the number of events and drops in both directions. If unsure contact Fortinet Support.
Retransmission Check

If multiple identical Requests are seen before a Response is seen subsequent identical Requests are dropped.

Note: This feature will not work where there is asymmetric traffic and FortiDDoS may not see all Responses. Disable this feature if FortiDDoS is in Asymmetric Mode.

Disable if asymmetric traffic. Use NTP Query and Response Thresholds.
Sequence Mismatch Check

Detects header Sequence number errors in Queries and Responses.

Note: This feature will not work where there is asymmetric traffic and FortiDDoS may not see all Responses.

Unsolicited Response Check

FortiDDoS records all passing NTP Requests. When a matching NTP Response is seen the record is cleared. If an NTP Response has seen that was not Requested, it is “unsolicited” and dropped immediately.

Note: This feature mitigates NTP Reflected Response Floods from the first packet, without the requirement for a Response Threshold. However, this feature will not work where there is asymmetric traffic and FortiDDoS may not see all Requests or Responses. If the system is in Asymmetric Mode, disable this feature and use Response Threshold below.

Mode Mismatch Check

Some Modes must be different in the Client Query and Server Response while some Modes are the same for both. FortiDDoS monitors valid combinations and if any are invalid, that packet will be dropped. The only valid Mode pairs for Requests/Responses are 1/2, 3/4, 6/6 or 7/7.

Note: Mode Mismatch (MM) is like Unsolicited Response, working only with symmetric traffic. If FortiDDoS is in Asymmetric Mode, disable this feature.

Reflection Deny

No parameters. If you enable Reflection Deny, you are creating a rule to deny NTP Mode 7 and NTP Mode 6 packets in Queries and Responses. These packets are not needed and are frequently abused to create reflected, amplified NTP DDoS attacks.

Enable