[ntp:questions] better rate limiting against amplification attacks?

Rob nomail at example.com
Wed Jan 15 20:35:32 UTC 2014


William Unruh <unruh at invalid.ca> wrote:
> On 2014-01-15, Rob <nomail at example.com> wrote:
>> William Unruh <unruh at invalid.ca> wrote:
>>> On 2014-01-15, Steve Kostecke <kostecke at ntp.org> wrote:
>>>> On 2014-01-15, David Woolley wrote:
>>>>
>>>>> On 27/12/13 10:24, Rob wrote:
>>>>>
>>>>>> There are more and more amplification attacks against ntp servers,
>>>>>> similar to those against open DNS resolvers. A small packet sent with
>>>>>> a spoofed source address (allowed by a lame ISP) results in a large
>>>>>> reply from ntpd, sent to the victim of the attack.
>>>>>
>>>>> CERT have just issued an alert about the monlist attack:
>>>>><https://www.us-cert.gov/ncas/alerts/TA14-013A> (TA14-013A: NTP
>>>>>Amplification Attacks Using CVE-2013-5211). The advice is upgrade or
>>>>>use restrict.
>>>>
>>>> Upgrade _or_ use noquery _or_ disable monitor
>>>>
>>>> Information at http://support.ntp.org/security
>>>
>>> Why does nptd not disable external monitoring or command by default.
>>> That way if someone wants to allow it, they have to actively do so,
>>> presumably knowing what they are doing. 
>>
>> The default config shipped with ntpd, usually mostly provided by the
>> distributor, is often terrible.  (remember the LOCAL clock?)
>
> I do not mean the default in the config file, I mean the default if
> there is no config file or if nothing is set in the config file.

That only becomes meaningful when ntpd starts to actually work without
config file.  Of course that would be possible, but I don't think it
is reality today.  Or is it, in the latest versions?

> I agree that distros could well put in something to undo that and that
> they often do really stupid things (mainly because they do not
> understand things).

This problem would probably not exist when a good default config file
was shipped by the maintainers.  Distro people don't have time on their
hands and when a default config is available, they often use it.



More information about the questions mailing list