[ntp:hackers] 'noserve' etc. and the protocol response matrix

TGLASSEY tglassey at earthlink.net
Tue Jan 28 22:15:38 UTC 2014


All you have to do is revoke the license for the code and force people 
to change who are commercially audited. Its that simple. The issue is 
whether there is an ethical push to make that happen.

Todd

On 1/28/2014 12:51 PM, Havard Eidnes wrote:
>> I worry that we may be shooting ourselves in the foot with
>> noquery. The recent publicity of of the DDOS CVE means that NTP users
>> right and left will be adding "noquery" to the default
>> restriction. The ntptrace program will effectively stop working, "ntpq
>> -p" will stop working. And what is worse, security auditors the world
>> over will now be insisting that every single installation of NTP have
>> "noquery" whether it really needs it or not.
>>
>> The only way that I can see that we can prevent this from happening is
>> to stop all possibility of using NTP as a packet amplification
>> vector. No packet should ever cause more than a single return packet
>> of some reasonable size. We should classify all control commands into
>> one of two types, "read" and "write" and have separate restrict rules
>> for each. All "write" commands should require a "nonce" exchange
>> before the command is accepted. There should be a way to disable any
>> and all control commands on an individual basis.
>>
>> Any thoughts? Disagreement?
> I agree.
>
> My $0.02 advice: get a safe release out the door.  Not a development
> interim, not a beta test -- a real release.  This should at least set
> the scene for packagers and integrators to include the new code in
> their offerings.
>
> Still, the question remains whether the damage isn't already done, and
> that it will still take quite a long time for the new ntp code to
> propagate "out there".  Getting the "noquery" configs removed again
> when it's "safe" is going to be an uphill battle.
>
> However, for older ntp versions, there is no other expedient way to
> close the access to "monlist" than doing noquery, right?
>
> It's often not terribly practical to do a full upgrade of ntpd, and
> when the only other option to installing restrictions using noquery is
> "install this development snapshot, from source" I can totally
> understand the administrator's reluctance.
>
> Or ... have I completely misunderstood the situation?
>
> Regards,
>
> - Håvard
> _______________________________________________
> hackers mailing list
> hackers at lists.ntp.org
> http://lists.ntp.org/listinfo/hackers
>
>

-- 
-------------

Personal Email - Disclaimers Apply



More information about the hackers mailing list