[ntp:hackers] NTP DoS attack blog post

Brian Utterback brian.utterback at oracle.com
Tue Feb 25 01:01:51 UTC 2014


On 02/20/14 00:21, Harlan Stenn wrote:
> http://nwtime.org/ntp-winter-2013-network-drdos-attacks/
>

Does anyone know if there is any other potential amplification attack in 
the code, other than monlist? I would like to avoid just blindly telling 
everyone to add noquery to the default restriction list, for reasons 
that we have already discussed. I have been suggesting using "disable 
monitor" on leaf nodes instead. My first thought was that leaf nodes are 
not susceptible to even the monlist attack since there wouldn't be a 
long list of clients, but then I realized that it would be trivial to 
create a long list by simply spoofing a bunch of ntp packets first to 
fill the list and then send in the monlist command packets.

So, anyway, I am getting some push back on using just "disable monitor" 
because they are once bitten twice shy and want to avoid any possibility 
of an attack. So, one possible command would be "peers", but  really 
there shouldn't be any systems whose peer list is long enough to take 
more than one or two packets, right? Unless they have disabled auth, 
there shouldn't be any way to add peers, right?

Does anyone know of any other commands (control or private) that might 
result in more than one or two packets returned?

-- 
blu

Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. - Martin Golding
-----------------------------------------------------------------------|
Brian Utterback - Solaris RPE, Oracle Corporation.
Ph:603-262-3916, Em:brian.utterback at oracle.com



More information about the hackers mailing list