Netvanta 1335 getting hammered by 100%CPU, seens to be related to ntpd

Howdy, I'm looking for a way to bidirectionally pass all traffic to/from our inside VLAN1 (the 10.10.10.x lan) and VLAN 2 (which has public IP addresses from an advertised /26) to our upstream provider on VLAN21, but get rid of traffic which is saturiating our cpu, probably on port 123.

Until a few days ago everything was working well, then our old 1335 died (power supply has totally failed, no lights, no fan, after 4 continuous years powered up.) Our upstream IP service is 50Mbit, shared by a bunch of users in our building, each of which has a static IP assigned by me personally. One inside computer (on port 0/2) is manually assigned x.x.x.67, which I use to access the Netvanta when needed.

Fortunately we have a spare Netvanta 1335, which came up fine. We upgraded the firmware to R11.10.6.E,

Symptom is that after several hours of normal use, the Netvanta CPU use goes to 100% and it becomes impossible to even telnet locally, and of course service to/from the big world goes almost totally dead (although once in a while a packet gets through.)

When this occurs, the command

#show processes cpu

indicates that ntpd is using 70%+ of the cpu.If I unplug the CAT6 cable to our fiber interface, that drops top 0 and I can at least access the Netvanta locally.

This seems to indicate that we are under some sort of DDos attack.

If I disable the sntp server (#no ip sntp server) then the problem seems to go away, although, of course we haven't got a way to sync the Netvanta clock to time.nist.gov. 'show processes cpu' then does not even show an entry for ntpd, which is what I would expect.

Strangely, I did this yesterday,but after about 8 hours, the problem recurred and 'show processes cpu' again showed that ntpd was running and getting hammered, which I really don't understand.

What I want is to have the Netvanta sync its time but NOT act as a time server at all, and to drop all ntp traffic coming from the outside, but pass all other traffic. I do not know how to do this.

You will note that in the config file I have pasted below there is no firewall active and I have an entry for VLAN100 which is unused and could go away.

Your help is much appreciated. (feel free to trash my amateur config efforts, btw..)

/Mr. Duck

(config below, passwords, IP addresses are XXed out)

------------------

!

!

! ADTRAN, Inc. OS version R11.10.6.E

! Boot ROM version 15.01.B1

! Platform: NetVanta 1335, part number 1700515E2

! Serial number L...........AC810

!

!

hostname "something"

enable password somecrappypassword

!

!

clock timezone -5-Eastern-Time

clock no-auto-correct-DST 

!

ip subnet-zero

ip classless

ip routing

!

!

name-server 4.2.2.2 4.2.2.1 

!

no ip route-cache express

!

no auto-config

!

event-history on

no logging forwarding

no logging email

!

no service password-encryption

!

username "admin" password "someotherpassword"

!

ip firewall stealth

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

vlan 1

  name "Default" 

!

vlan 2

  name "Internal x.x.x.x/26" 

!

vlan 21

  name "Outside trunk stuff" 

!

vlan 100

  name "VLAN0100" 

!

!

interface switchport 0/1

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/2

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/3

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/4

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/5

  no shutdown

!

interface switchport 0/6

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/7

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/8

  no shutdown

!

interface switchport 0/9

  no shutdown

!

interface switchport 0/10

  no shutdown

!

interface switchport 0/11

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/12

  no shutdown

!

interface switchport 0/13

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/14

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/15

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/16

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/17

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/18

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/19

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/20

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/21

  no shutdown

!

interface switchport 0/22

  no shutdown

!

interface switchport 0/23

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/24

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

!

interface gigabit-switchport 0/1

  no shutdown

!

interface gigabit-switchport 0/2

  description WAN

  speed 100

  spanning-tree bpdufilter enable

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport access vlan 21

  no lldp send-and-receive

!

!

interface vlan 1

  ip address  10.10.10.1  255.255.255.0 

  ip access-policy Private

  ! IPv4 access-policy will not be used until IPv4 firewall is enabled

  ip route-cache express

  no shutdown

!

interface vlan 2

  description internal

  ip address  x.x.x.65  255.255.255.192 

  no ip route-cache express

  no shutdown

!

interface vlan 21

  ip address  out.side.fiber.ip 255.255.255.252 

  ip access-policy Public

  ! IPv4 access-policy will not be used until IPv4 firewall is enabled

  no awcp

  no ip route-cache express

  no shutdown

!

interface vlan 100

  ip address  x.x.x.100  255.255.255.254 

  no ip route-cache express

  no shutdown

!

!

ip access-list standard admin-access

  permit host x.x.x.67

  permit host 10.10.10.2

  permit host x.x.x.68

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended admin

!

ip access-list extended "external stuff on .67"

  permit ip any  host x.x.x.67     log

!

ip access-list extended self

  remark Traffic to Netvanta

  permit ip any  any     log

!

ip access-list extended web-acl-6

  remark Allow

  permit ip any host x.x.x.67    

!

ip access-list extended wizard-pfwd-1

  remark Port Forward 1

  permit tcp any  host out.side.fiber.ip  log

!

!

ip policy-class Allow

  allow list web-acl-6 policy "Allow x.x.x.67" stateless

!

ip policy-class Allow-x.x.x.67

  allow list web-acl-6 policy "Allow x.x.x.67" stateless

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface vlan 21 overload

!

ip policy-class Public

  nat destination list wizard-pwfd-1 address 10.10.10.2

!

!

ip route 0.0.0.0 0.0.0.0 out.side.fiber.ip-1

!

no tftp server

no tftp server overwrite

http server

no http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

http ip access-class admin-access in

http ip secure-access-class admin-access in

!

sip udp 5060

sip tcp 5060

!

line con 0

  login

!

line telnet 0 4

  login

  password root2001

  no shutdown

  ip access-class admin-access in

line ssh 0 4

  login local-userlist

  shutdown

  ip access-class admin-access in

!

end

---------

(config ends above the dashes)