[ntp:questions] better rate limiting against amplification attacks?
nomail at example.com
Fri Dec 27 16:49:36 UTC 2013
Brian Utterback <brian.utterback at oracle.com> wrote:
> On 12/27/2013 5:24 AM, Rob wrote:
>> What is the NTP developers position on implementation of better
>> rate limiting options in ntpd?
>> There are more and more amplification attacks against ntp servers,
>> similar to those against open DNS resolvers. A small packet sent
>> with a spoofed source address (allowed by a lame ISP) results in
>> a large reply from ntpd, sent to the victim of the attack.
>> Possible candidates are of course the commands to retrieve the list
>> of clients (similar to "ntpdc -c monlist") and and the list of
>> associated servers ("ntpq -p").
> In the current code monlist is replaced by mrulist. The mrulist command
> requires a handshake, so a spoofed address would not be possible.
> However, it might be wise to limit the number of packets sent per
> exchange. Currently the client sets the number but a man in the middle
> attack would still be possible. We could set the maximum number of
> packets sent per return packet to relatively small. The current
> implementation on the client sets it to 32, but we could allow a maximum
> of 4 or 8.
> Is a peer list really a big problem? It generally doesn't make sense to
> have much beyond 10 peers. Are there really a lot of servers with a lot
> of peers?
> Brian Utterback
Are you doubting the fact that NTP is used for amplification attacks?
It is a fact... and many ntp pool members have faced the consequences
I think what has to be discussed is the countermeasures, not the fact.
More information about the questions