[ntp:security] [Bug 1331] New: DoS with mode 7 packets
Danny Mayer via the NTP Bugzilla
bugzilla at ntp.org
Sun Oct 4 22:27:11 UTC 2009
Summary: DoS with mode 7 packets
AssignedTo: stenn at ntp.org
ReportedBy: mayer at ntp.org
CC: security at ntp.org
>From dmitri vinokurov:
We believe there is a flaw in NTP which allows to build an effective and easy
exploitable DoS attack.
The topology used includes two nodes running ntp and an attacker's PC:
PC---> [node1 ntpd1]:184.108.40.206 --------220.127.116.11:[node2 ntpd2]
PC sends one crafted UDP packet with one byte payload 0x17, i.e. NTP Request in
This UDP packet has spoofed source IP of 18.104.22.168, destination = 22.214.171.124,
source port 123 and destination port 123.
Node1 responds with mode 7 Error Response to Node2, and here comes something we
cannot conceive. Ntpd2 responds back with the same mode 7 Error Response to
Node1, Ntpd1 does again the same, etc. with the aggregate rate of few thousand
pps. CPU is taken away on both sides, network is busy...
Better yet, if we spoof the Node1's address 126.96.36.199 as a source, Node1 sends
all these packets to itself all the time! Endless.
Payload "97 00 00 00" (Response mode 7) works too.
We believe ntpd must either drop an unexpected mode 7 Response, or drop any mode
7 packets originated from port 123 (they have to use high number source ports).
Authentication and ACLs may help, but these are rather workarounds. Would it be
possible to address the core issue?
Danny Mayer <mayer at ntp.org>
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the security