[ntp:hackers] [Pool] NTP CVE patches?

Miroslav Lichvar mlichvar at redhat.com
Wed Nov 4 08:21:03 UTC 2015


On Tue, Nov 03, 2015 at 01:41:57PM -0800, Charles Swiger wrote:
> An attacker with sufficient bandwidth can flood your incoming pipe, but
> it seems desirable to switch from:
> 
> - replying normally to source IP
> - replying with a KoD RATE reply, if source is sending requests too fast
> - replying with KoD DENY, if the source continues sending requests
> - simply dropping future requests from that source for $LONGTIME ~= 1 day.
> 
> This does the right thing for clients which want time but are being naughty
> and querying too fast, as well as for full DDoS attacks where the source IP
> is forged and might even be the intended target.

Wouldn't that make the attack even worse? We don't want to prevent the
client from getting replies to spoofed requests, we want to keep
sending useful replies to some fraction of its requests when an
attacker is sending spoofed requests, so the client can stay
synchronized.

If the attacker wanted to flood the client's connection, s/he could
send spoofed packets directly to it, no need to reflect from the
server.

> I think ntpd should move from B to C to A, if the traffic rate continues
> to exceed reasonable polling frequency.

I think that's basically what ntpd currently does and what we want to
prevent.

-- 
Miroslav Lichvar


More information about the hackers mailing list