[ntp:hackers] Protocol specification modification for MS-SNTP

Martin Burnicki martin.burnicki at meinberg.de
Thu Jul 9 08:17:05 UTC 2009

Dave Hart wrote:
> On Tue, Jul 7, 2009 at 9:23 PM, David Mills<mills at udel.edu> wrote:
> > What I would worry about is a terrorist tossing zero digest packets with
> > randomly chosen key ID at speed. Like a SYN-flood attack, sooner or
> > later he will get lucky.
> For an ntpd configured with Samba4 on the same host to emulate a
> Windows DC, it's true that you can computationally clog the server by
> requesting signed replies as fast as possible to a bunch of different
> keyids.  You don't even have to be clever to guess the key IDs to
> target, as in MS-SNTP the lower 31 bits map directly to the relative
> ID or RID, which is the user/group object number within the domain,
> assigned sequentially from a well-known starting point like 512.  It
> would have been nice if Microsoft required the client to sign the
> request as well as expecting a signed response, but even if so  there
> would be work verifying the digest doesn't match.
> I'm not sure there's any luck to be had, though.  Guessing a keyid
> that maps to a machine account is easy, but what do you do with the
> signed reply, not knowing the secret used to sign it?

Any idea how MS's impementation (w32time) would behave in case of on a sign 
request flood attack?



Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont

More information about the hackers mailing list