[ntp:questions] Can I stop authenticated peers from mobilizing symmetric associations

Miroslav Lichvar mlichvar at redhat.com
Fri Mar 10 09:20:50 UTC 2017


On Fri, Mar 10, 2017 at 02:34:51AM -0500, Majdi S. Abbas wrote:
> On Thu, Mar 09, 2017 at 05:24:35PM +0100, Miroslav Lichvar wrote:
> > Couldn't the malicious client create a larger number of ephemeral
> > associations, using multiple IP addresses, in order to outvote good
> > servers?
> 
> 	If it has a bunch of IP addresses, maybe... but you'd have to
> be close enough to the existing clock to capture the peer.. (read:
> close/low latency and jitter path, and serve better time than the
> configured servers for a while).

I'm not sure if distance and jitter really matter here. The source
selection algorithm discards falsetickers before distance/jitter are
involved in the clustering and combining.

I was able to reproduce the issue with ntp-4.2.8p9. The server was
configured with three good stratum-1 server. Four clients that had a
valid key were off by 10 minutes. They created symmetric associations
with the server and were able to outvote the good servers, even though
their distance and jitter was much larger.

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
xgood-server1    .GPS.            1 u   21   64  377    0.244  -600000   0.096
xgood-server2    .GPS.            1 u   24   64  377    0.241  -600000   0.112
xgood-server3    .GPS.            1 u   56   64  377    0.233  -600000   0.066
+bad-client1     LOCAL(1)         3 S   22   64  377   31.424   -0.752   2.211
+bad-client2     LOCAL(1)         3 S   17   64  377   36.310    0.015   1.741
+bad-client3     LOCAL(1)         3 S   27   64  377   34.919    0.462   2.441
*bad-client4     LOCAL(1)         3 S   38   64  377   31.443   -0.491   1.401

> 	...and that assumes you aren't using prefer on your chosen servers.

You mean the true option? The prefer option doesn't seem to have an
effect on falsetickers.

Another way to avoid this problem might be allowing authentication of
server packets with keys that are not marked as trusted with the
trustedkey directive. If clients used untrusted keys for
authentication of the server, they wouldn't be able to create
symmetric associations.

-- 
Miroslav Lichvar


More information about the questions mailing list