[ntp:hackers] 'noserve' etc. and the protocol response matrix

Brian Utterback brian.utterback at oracle.com
Tue Jan 28 23:48:39 UTC 2014


On 1/28/2014 3:51 PM, Havard Eidnes wrote:
>> I worry that we may be shooting ourselves in the foot with
>> noquery. The recent publicity of of the DDOS CVE means that NTP users
>> right and left will be adding "noquery" to the default
>> restriction. The ntptrace program will effectively stop working, "ntpq
>> -p" will stop working. And what is worse, security auditors the world
>> over will now be insisting that every single installation of NTP have
>> "noquery" whether it really needs it or not.
>>
>> The only way that I can see that we can prevent this from happening is
>> to stop all possibility of using NTP as a packet amplification
>> vector. No packet should ever cause more than a single return packet
>> of some reasonable size. We should classify all control commands into
>> one of two types, "read" and "write" and have separate restrict rules
>> for each. All "write" commands should require a "nonce" exchange
>> before the command is accepted. There should be a way to disable any
>> and all control commands on an individual basis.
>>
>> Any thoughts? Disagreement?
> I agree.
>
> My $0.02 advice: get a safe release out the door.  Not a development
> interim, not a beta test -- a real release.  This should at least set
> the scene for packagers and integrators to include the new code in
> their offerings.
>
> Still, the question remains whether the damage isn't already done, and
> that it will still take quite a long time for the new ntp code to
> propagate "out there".  Getting the "noquery" configs removed again
> when it's "safe" is going to be an uphill battle.
>
> However, for older ntp versions, there is no other expedient way to
> close the access to "monlist" than doing noquery, right?
>
> It's often not terribly practical to do a full upgrade of ntpd, and
> when the only other option to installing restrictions using noquery is
> "install this development snapshot, from source" I can totally
> understand the administrator's reluctance.
>
> Or ... have I completely misunderstood the situation?
>
> Regards,
>
> - Håvard

I think you are exactly correct. To that end, I would suggest that 
either we remove noquery altogether or make it a synonym with my 
proposed "nowrite" restrict option. Of course we can't do anything about 
previous versions of NTP, but then if we strengthen the security of the 
control commands they have an incentive to upgrade and otherwise they 
really do need it, unless we can get "disable monitor" as the preferred 
solution.

Brian


More information about the hackers mailing list