[ntp:hackers] i think it's time to review ntp's default acl's

Paul Vixie paul at vix.com
Thu Mar 23 17:10:35 UTC 2006


isc is under significant pressure from the world community to change the
default in BIND to be "do not answer queries from off-LAN sources", due
to the now widespread use of DNS as a reflector/amplifier of spoofed-source
DDoS attacks.  now, we know that the spoofability of sources is the real
problem, and that changing the default ACL's is at best a band-aid, but we
(isc) are going to make a change like this as of BIND9 9.4.0 (due R.S.N.)

since ntp is also udp-based, i think it's time to review ntp's default ACL.
(net-snmp already has this default, as does samba and every other UDP-based
service for which a UNIX-style implementation is available in open source.)

please note that amplification, meaning a server responds with a much larger
packet than the request, is only gravy in the meal known as DDoS.  the meat
and potatoes of it is reflection.  therefore in BIND9 9.4.0, we'll not only
change the default ACL, but we'll rate-limit our REFUSED responses.  this
will manifest as "line loss" to query sources who fall outside the ACL, but
is a necessary evil in order to attenuate rather than reflect (or amplify).

can someone who knows ntpd's defaults say whether off-LAN queries will or
will not be answered by default?

can someone who knows NTP say whether a normal response is larger than a
normal query, and whether an error response is larger than a normal query,
and whether there is any response at all to a malformed query?

can someone who runs this software in production comment on the advisability
of rate-limiting error-responses (if there are any), simulating "line loss"?

i'm embarrassed to be asking these questions.  we're talking about putting
bandaids on a sucking chest wound when we know the patient's going to die
anyway.  but there it is.


More information about the hackers mailing list