1 Reply Latest reply on Jan 18, 2017 9:29 AM by jayh

    Netvanta 1335 getting hammered by 100%CPU, seens to be related to ntpd

    mr.duck New Member

      Howdy, I'm looking for a way to bidirectionally pass all traffic to/from our inside VLAN1 (the 10.10.10.x lan) and VLAN 2 (which has public IP addresses from an advertised /26) to our upstream provider on VLAN21, but get rid of traffic which is saturiating our cpu, probably on port 123.

       

      Until a few days ago everything was working well, then our old 1335 died (power supply has totally failed, no lights, no fan, after 4 continuous years powered up.) Our upstream IP service is 50Mbit, shared by a bunch of users in our building, each of which has a static IP assigned by me personally. One inside computer (on port 0/2) is manually assigned x.x.x.67, which I use to access the Netvanta when needed.

       

      Fortunately we have a spare Netvanta 1335, which came up fine. We upgraded the firmware to R11.10.6.E,

       

      Symptom is that after several hours of normal use, the Netvanta CPU use goes to 100% and it becomes impossible to even telnet locally, and of course service to/from the big world goes almost totally dead (although once in a while a packet gets through.)

       

      When this occurs, the command

       

      #show processes cpu

       

      indicates that ntpd is using 70%+ of the cpu.If I unplug the CAT6 cable to our fiber interface, that drops top 0 and I can at least access the Netvanta locally.

       

      This seems to indicate that we are under some sort of DDos attack.

       

      If I disable the sntp server (#no ip sntp server) then the problem seems to go away, although, of course we haven't got a way to sync the Netvanta clock to time.nist.gov. 'show processes cpu' then does not even show an entry for ntpd, which is what I would expect.

       

      Strangely, I did this yesterday,but after about 8 hours, the problem recurred and 'show processes cpu' again showed that ntpd was running and getting hammered, which I really don't understand.

       

      What I want is to have the Netvanta sync its time but NOT act as a time server at all, and to drop all ntp traffic coming from the outside, but pass all other traffic. I do not know how to do this.

       

      You will note that in the config file I have pasted below there is no firewall active and I have an entry for VLAN100 which is unused and could go away.

       

      Your help is much appreciated. (feel free to trash my amateur config efforts, btw..)

       

      /Mr. Duck

       

      (config below, passwords, IP addresses are XXed out)

      ------------------

      !

      !

      ! ADTRAN, Inc. OS version R11.10.6.E

      ! Boot ROM version 15.01.B1

      ! Platform: NetVanta 1335, part number 1700515E2

      ! Serial number L...........AC810

      !

      !

      hostname "something"

      enable password somecrappypassword

      !

      !

      clock timezone -5-Eastern-Time

      clock no-auto-correct-DST 

      !

      ip subnet-zero

      ip classless

      ip routing

      !

      !

      name-server 4.2.2.2 4.2.2.1 

      !

      no ip route-cache express

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      no logging email

      !

      no service password-encryption

      !

      username "admin" password "someotherpassword"

      !

      ip firewall stealth

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      no dot11ap access-point-control

      !

      vlan 1

        name "Default" 

      !

      vlan 2

        name "Internal x.x.x.x/26" 

      !

      vlan 21

        name "Outside trunk stuff" 

      !

      vlan 100

        name "VLAN0100" 

      !

      !

      interface switchport 0/1

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/2

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/3

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/4

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/5

        no shutdown

      !

      interface switchport 0/6

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/7

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/8

        no shutdown

      !

      interface switchport 0/9

        no shutdown

      !

      interface switchport 0/10

        no shutdown

      !

      interface switchport 0/11

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/12

        no shutdown

      !

      interface switchport 0/13

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/14

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/15

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/16

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/17

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/18

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/19

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/20

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/21

        no shutdown

      !

      interface switchport 0/22

        no shutdown

      !

      interface switchport 0/23

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      interface switchport 0/24

        spanning-tree edgeport

        no shutdown

        switchport access vlan 2

      !

      !

      interface gigabit-switchport 0/1

        no shutdown

      !

      interface gigabit-switchport 0/2

        description WAN

        speed 100

        spanning-tree bpdufilter enable

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport access vlan 21

        no lldp send-and-receive

      !

      !

      interface vlan 1

        ip address  10.10.10.1  255.255.255.0 

        ip access-policy Private

        ! IPv4 access-policy will not be used until IPv4 firewall is enabled

        ip route-cache express

        no shutdown

      !

      interface vlan 2

        description internal

        ip address  x.x.x.65  255.255.255.192 

        no ip route-cache express

        no shutdown

      !

      interface vlan 21

        ip address  out.side.fiber.ip 255.255.255.252 

        ip access-policy Public

        ! IPv4 access-policy will not be used until IPv4 firewall is enabled

        no awcp

        no ip route-cache express

        no shutdown

      !

      interface vlan 100

        ip address  x.x.x.100  255.255.255.254 

        no ip route-cache express

        no shutdown

      !

      !

      ip access-list standard admin-access

        permit host x.x.x.67

        permit host 10.10.10.2

        permit host x.x.x.68

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended admin

      !

      ip access-list extended "external stuff on .67"

        permit ip any  host x.x.x.67     log

      !

      ip access-list extended self

        remark Traffic to Netvanta

        permit ip any  any     log

      !

      ip access-list extended web-acl-6

        remark Allow

        permit ip any host x.x.x.67    

      !

      ip access-list extended wizard-pfwd-1

        remark Port Forward 1

        permit tcp any  host out.side.fiber.ip  log

      !

      !

      ip policy-class Allow

        allow list web-acl-6 policy "Allow x.x.x.67" stateless

      !

      ip policy-class Allow-x.x.x.67

        allow list web-acl-6 policy "Allow x.x.x.67" stateless

      !

      ip policy-class Private

        allow list self self

        nat source list wizard-ics interface vlan 21 overload

      !

      ip policy-class Public

        nat destination list wizard-pwfd-1 address 10.10.10.2

      !

      !

      ip route 0.0.0.0 0.0.0.0 out.side.fiber.ip-1

      !

      no tftp server

      no tftp server overwrite

      http server

      no http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      http ip access-class admin-access in

      http ip secure-access-class admin-access in

      !

      sip udp 5060

      sip tcp 5060

      !

      line con 0

        login

      !

      line telnet 0 4

        login

        password root2001

        no shutdown

        ip access-class admin-access in

      line ssh 0 4

        login local-userlist

        shutdown

        ip access-class admin-access in

      !

      end

       

      ---------

      (config ends above the dashes)

        • Re: Netvanta 1335 getting hammered by 100%CPU, seens to be related to ntpd
          jayh Hall_of_Fame

          The command "ip sntp server" by itself configures your device to provide time service to others, potentially the world. There are DDoS exploits of ntpd that spoof source addresses to open NTP servers and in this case you are likely being used as a reflector.

           

          What you want, in order to set the clock on your device from an external NTP server, is "sntp server <hostname>" or "sntp server <ip.add.re.ss>", without the <>.

           

          Leave the "no ip sntp server" configuration in place.