[ntp:questions] Thoughts on KOD

Rob nomail at example.com
Mon Jul 7 07:50:16 UTC 2014

detha <detha at foad.co.za> wrote:
> There are some differences between open SMTP relays and networks not
> implementing BCP38. TCP versus UDP, and to quote Paul Vixie from
> https://queue.acm.org/detail.cfm?id=2578510
> ] "... but the big reason why SAV isn't the default is: SAV benefits only
> ] other people's customers, not an operator's own customers. 
> ]
> ] There is no way to audit a network from outside to determine if it 
> ] practices SAV. Any kind of compliance testing for SAV has to be done by
> ] a device that's inside the network whose compliance is in question. That
> ] means the same network operator who has no incentive in the first place
> ] to deploy SAV at all is the only party who can tell whether SAV is deployed."
> That, and mis-configured NTP servers, is why we still have reflection
> attacks.

With SMTP relays the situation was not that different.  An open SMTP
relay did not do much damage to the owner, it caused a lot of spam to
be sent that irritated others.   Only by bending the damage to the
owner of the server, by blacklisting it everywhere so the regular users
could not send mail anymore, the server owners could be convinced to
do something.   Of course that is sad, but that is reality.

With BCP38 (SAV) a similar thing could be done: block certain traffic
from neighbors that have been shown not to implement BCP38.
Of course it is more difficult because it can not be a simple IP based
blocklist, it has to be AS based and has to be effected by peers, who
usually have contracts and would not do this kind of thing easily.

>> Without that, NTP server operators are really helpless against attacks,
>> both of their servers and backscatter attacks against innocent victims.
>> But of course it is outside the scope of NTP to do this, it just happens
>> that NTP is a recent victim of this wide misconfiguration problem.
> The biggest problem with NTP is the amplification factor. With a 1:1 or
> even 1:1.5 amplification factor, the attacker won't bother, and move to
> the next target - SNMP is a good candidate. With a 1:12 or better ratio,
> the attacker is happy.

That is no longer true.  I have seen attacks with much smaller amplification
factors, e.g. using TCP.   SYN packets with spoofed sender address and
both source and destination set to wellknown ports like 80, 443.
This amplifies only a little, but still it is done.

I think the source address spoofing problem should be taken care of before
it gets completely out of hand.  The NTP attacks were only an example.

More information about the questions mailing list