[ntp:questions] Thoughts on KOD

detha detha at foad.co.za
Mon Jul 7 13:32:56 UTC 2014

On Mon, 07 Jul 2014 07:50:16 +0000, Rob wrote:

> detha <detha at foad.co.za> wrote:
>> The biggest problem with NTP is the amplification factor. With a 1:1 or
>> even 1:1.5 amplification factor, the attacker won't bother, and move to
>> the next target - SNMP is a good candidate. With a 1:12 or better ratio,
>> the attacker is happy.
> That is no longer true.  I have seen attacks with much smaller
> amplification factors, e.g. using TCP.   SYN packets with spoofed sender
> address and both source and destination set to wellknown ports like 80,
> 443. This amplifies only a little, but still it is done.

Different attack profile. With an amplification factor of 1 to 2
the purpose of a reflection attack is to hide the attack source (often
a few hosts with large pipes), at high PPS rates. With high amplification
factors the purpose is to generate a large amount of data using only a
small pipe.

> I think the source address spoofing problem should be taken care of before
> it gets completely out of hand.  The NTP attacks were only an example.

Amplification attacks started in earnest with DNS a few years ago, and
when major DNS providers (and most implementations) implemented RRL it
shifted to NTP. My guess is that it will stay with NTP until either the
number of amplifying servers is low enough to be difficult to find, or
until a few of the big players get tired of it, and start blocking NTP
completely, much like ISPs block TCP/25 on residential networks.

BCP38/rpf/SAV will not be implemented soon (if at all) in a lot of
networks. Wether one likes it or not, the only practical solution for now
is some form of RRL or blacklisting. Both involve keeping state about
client requests, either in ntpd or at the IDS/firewall level. So far, ntpd
seems to be the easiest place to implement it.


More information about the questions mailing list