[ntp:security] [Bug 1331] New: DoS with mode 7 packets

Danny Mayer via the NTP Bugzilla bugzilla at ntp.org
Sun Oct 4 22:27:11 UTC 2009


           Summary: DoS with mode 7 packets
           Product: ntp
           Version: 4.2.5
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: ntpd
        AssignedTo: stenn at ntp.org
        ReportedBy: mayer at ntp.org
                CC: security at ntp.org

>From dmitri vinokurov:
We believe there is a flaw in NTP which allows to build an effective and easy
exploitable DoS attack.
The topology used includes two nodes running ntp and an attacker's PC:

PC--->  [node1 ntpd1]: --------[node2 ntpd2]

PC sends one crafted UDP packet with one byte payload 0x17, i.e. NTP Request in
mode 7.
This UDP packet has spoofed source IP of, destination =,
source port 123 and destination port 123.
Node1 responds with mode 7 Error Response to Node2, and here comes something we
cannot conceive. Ntpd2 responds back with the same mode 7 Error Response to
Node1, Ntpd1 does again the same, etc. with the aggregate rate of few thousand
pps. CPU is taken away on both sides, network is busy...
Better yet, if we spoof the Node1's address as a source, Node1 sends
all these packets to itself all the time! Endless.
Payload "97 00 00 00" (Response mode 7) works too.

We believe ntpd must either drop an unexpected mode 7 Response, or drop any mode
7 packets originated from port 123 (they have to use high number source ports).

Authentication and ACLs may help, but these are rather workarounds. Would it be
possible to address the core issue?

Danny Mayer <mayer at ntp.org>

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the security mailing list