[ntp:security] [Bug 1331] DoS with mode 7 packets

Danny Mayer via the NTP Bugzilla bugzilla at ntp.org
Sun Oct 4 22:40:58 UTC 2009


http://bugs.ntp.org/1331



----------------------------------------------------------------------------
Additional Comments From mayer at ntp.org (Danny Mayer)
Submitted on 2009-10-04 22:40

>From dmitri vinokurov:

Dave, Danny,
Thanks for your comments and acknowledgement.
I believe there is still some misunderstanding though.
- the problem is NOT in lack of format/length/version control, sanity check,
etc. - all this can be made up in the first rogue packet. Danny got it right -
"Receipt of an error response should not be responded to", and this is the core
issue. Ntpd endlessly responds even to itself, on the same platform.
- the exploit is as trivial as to send one individual packet - ntpd does all the
flooding job for us by itself, and this is indeed easier than to throw whatever
commands at a fat rate. The result is - CPU load goes up to 100% on both sides
depending on the platform, network is busy, and no skills required to exploit
this. The overall risk is very high.

-- 
Danny Mayer <mayer at ntp.org>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the security mailing list