cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mr_duck
New Contributor

Netvanta 1335 getting hammered by 100%CPU, seens to be related to ntpd

Howdy, I'm looking for a way to bidirectionally pass all traffic to/from our inside VLAN1 (the 10.10.10.x lan) and VLAN 2 (which has public IP addresses from an advertised /26) to our upstream provider on VLAN21, but get rid of traffic which is saturiating our cpu, probably on port 123.

Until a few days ago everything was working well, then our old 1335 died (power supply has totally failed, no lights, no fan, after 4 continuous years powered up.) Our upstream IP service is 50Mbit, shared by a bunch of users in our building, each of which has a static IP assigned by me personally. One inside computer (on port 0/2) is manually assigned x.x.x.67, which I use to access the Netvanta when needed.

Fortunately we have a spare Netvanta 1335, which came up fine. We upgraded the firmware to R11.10.6.E,

Symptom is that after several hours of normal use, the Netvanta CPU use goes to 100% and it becomes impossible to even telnet locally, and of course service to/from the big world goes almost totally dead (although once in a while a packet gets through.)

When this occurs, the command

#show processes cpu

indicates that ntpd is using 70%+ of the cpu.If I unplug the CAT6 cable to our fiber interface, that drops top 0 and I can at least access the Netvanta locally.

This seems to indicate that we are under some sort of DDos attack.

If I disable the sntp server (#no ip sntp server) then the problem seems to go away, although, of course we haven't got a way to sync the Netvanta clock to time.nist.gov. 'show processes cpu' then does not even show an entry for ntpd, which is what I would expect.

Strangely, I did this yesterday,but after about 8 hours, the problem recurred and 'show processes cpu' again showed that ntpd was running and getting hammered, which I really don't understand.

What I want is to have the Netvanta sync its time but NOT act as a time server at all, and to drop all ntp traffic coming from the outside, but pass all other traffic. I do not know how to do this.

You will note that in the config file I have pasted below there is no firewall active and I have an entry for VLAN100 which is unused and could go away.

Your help is much appreciated. (feel free to trash my amateur config efforts, btw..)

/Mr. Duck

(config below, passwords, IP addresses are XXed out)

------------------

!

!

! ADTRAN, Inc. OS version R11.10.6.E

! Boot ROM version 15.01.B1

! Platform: NetVanta 1335, part number 1700515E2

! Serial number L...........AC810

!

!

hostname "something"

enable password somecrappypassword

!

!

clock timezone -5-Eastern-Time

clock no-auto-correct-DST 

!

ip subnet-zero

ip classless

ip routing

!

!

name-server 4.2.2.2 4.2.2.1 

!

no ip route-cache express

!

no auto-config

!

event-history on

no logging forwarding

no logging email

!

no service password-encryption

!

username "admin" password "someotherpassword"

!

ip firewall stealth

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

vlan 1

  name "Default" 

!

vlan 2

  name "Internal x.x.x.x/26" 

!

vlan 21

  name "Outside trunk stuff" 

!

vlan 100

  name "VLAN0100" 

!

!

interface switchport 0/1

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/2

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/3

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/4

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/5

  no shutdown

!

interface switchport 0/6

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/7

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/8

  no shutdown

!

interface switchport 0/9

  no shutdown

!

interface switchport 0/10

  no shutdown

!

interface switchport 0/11

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/12

  no shutdown

!

interface switchport 0/13

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/14

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/15

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/16

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/17

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/18

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/19

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/20

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/21

  no shutdown

!

interface switchport 0/22

  no shutdown

!

interface switchport 0/23

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/24

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

!

interface gigabit-switchport 0/1

  no shutdown

!

interface gigabit-switchport 0/2

  description WAN

  speed 100

  spanning-tree bpdufilter enable

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport access vlan 21

  no lldp send-and-receive

!

!

interface vlan 1

  ip address  10.10.10.1  255.255.255.0 

  ip access-policy Private

  ! IPv4 access-policy will not be used until IPv4 firewall is enabled

  ip route-cache express

  no shutdown

!

interface vlan 2

  description internal

  ip address  x.x.x.65  255.255.255.192 

  no ip route-cache express

  no shutdown

!

interface vlan 21

  ip address  out.side.fiber.ip 255.255.255.252 

  ip access-policy Public

  ! IPv4 access-policy will not be used until IPv4 firewall is enabled

  no awcp

  no ip route-cache express

  no shutdown

!

interface vlan 100

  ip address  x.x.x.100  255.255.255.254 

  no ip route-cache express

  no shutdown

!

!

ip access-list standard admin-access

  permit host x.x.x.67

  permit host 10.10.10.2

  permit host x.x.x.68

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended admin

!

ip access-list extended "external stuff on .67"

  permit ip any  host x.x.x.67     log

!

ip access-list extended self

  remark Traffic to Netvanta

  permit ip any  any     log

!

ip access-list extended web-acl-6

  remark Allow

  permit ip any host x.x.x.67    

!

ip access-list extended wizard-pfwd-1

  remark Port Forward 1

  permit tcp any  host out.side.fiber.ip  log

!

!

ip policy-class Allow

  allow list web-acl-6 policy "Allow x.x.x.67" stateless

!

ip policy-class Allow-x.x.x.67

  allow list web-acl-6 policy "Allow x.x.x.67" stateless

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface vlan 21 overload

!

ip policy-class Public

  nat destination list wizard-pwfd-1 address 10.10.10.2

!

!

ip route 0.0.0.0 0.0.0.0 out.side.fiber.ip-1

!

no tftp server

no tftp server overwrite

http server

no http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

http ip access-class admin-access in

http ip secure-access-class admin-access in

!

sip udp 5060

sip tcp 5060

!

line con 0

  login

!

line telnet 0 4

  login

  password root2001

  no shutdown

  ip access-class admin-access in

line ssh 0 4

  login local-userlist

  shutdown

  ip access-class admin-access in

!

end

---------

(config ends above the dashes)

0 Kudos
1 Reply
jayh
Honored Contributor
Honored Contributor

Re: Netvanta 1335 getting hammered by 100%CPU, seens to be related to ntpd

The command "ip sntp server" by itself configures your device to provide time service to others, potentially the world. There are DDoS exploits of ntpd that spoof source addresses to open NTP servers and in this case you are likely being used as a reflector.

What you want, in order to set the clock on your device from an external NTP server, is "sntp server <hostname>" or "sntp server <ip.add.re.ss>", without the <>.

Leave the "no ip sntp server" configuration in place.