[ntp:hackers] NTP DoS attack blog post
Brian Utterback
brian.utterback at oracle.com
Tue Feb 25 01:01:51 UTC 2014
On 02/20/14 00:21, Harlan Stenn wrote:
> http://nwtime.org/ntp-winter-2013-network-drdos-attacks/
>
Does anyone know if there is any other potential amplification attack in
the code, other than monlist? I would like to avoid just blindly telling
everyone to add noquery to the default restriction list, for reasons
that we have already discussed. I have been suggesting using "disable
monitor" on leaf nodes instead. My first thought was that leaf nodes are
not susceptible to even the monlist attack since there wouldn't be a
long list of clients, but then I realized that it would be trivial to
create a long list by simply spoofing a bunch of ntp packets first to
fill the list and then send in the monlist command packets.
So, anyway, I am getting some push back on using just "disable monitor"
because they are once bitten twice shy and want to avoid any possibility
of an attack. So, one possible command would be "peers", but really
there shouldn't be any systems whose peer list is long enough to take
more than one or two packets, right? Unless they have disabled auth,
there shouldn't be any way to add peers, right?
Does anyone know of any other commands (control or private) that might
result in more than one or two packets returned?
--
blu
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. - Martin Golding
-----------------------------------------------------------------------|
Brian Utterback - Solaris RPE, Oracle Corporation.
Ph:603-262-3916, Em:brian.utterback at oracle.com
More information about the hackers
mailing list