[ntp:security] reproducing mode 7 ping pong
mayer at ntp.org
Wed Oct 14 03:20:29 UTC 2009
Believe me, nothing revolves around me. Trust me I know.
I thought you understood this so I didn't think I needed to explain so I
will explain below.
Dmitri showed one attack vector using a too small packet and forging the
ip address source, usual stuff that hackers do, resulting in a ping-pong
between two nodes. Dave Hart's patch just shows another way of doing the
same thing, though it does assume that there is a version of ntpd
running on the same node as the ntpdc client being used to mount the
attack. Neither the attack vectors are as important as the target of the
attack which I had already identified as a result of Dmitri's report.
The patch that I issued closes all of the possible methods of
accomplishing such an attack which I had to check one at a time to
ensure that the attack cannot succeed. It's not the attack method that's
important, it's the fix to prevent the attacks from succeeding in the
first place and ensuring that needs to be verified to be certain that
there is no method that will allow it to succeed.
Harlan Stenn wrote:
> The universe is bigger than you, or you and the folks on this mailing
> list, or the developers who work on the code.
>> Dave Hart wrote:
>>> With ntpdc alone you can't trigger the DoS, to see the impact on ntpd
>>> in the one-ntpd and two-ntpd cases. Putting the triggering code in
>>> ntpd avoids the need to forge the source address.
>> Right but you don't need to do that to test the patch since we already
>> know the attack vector and fixing the code to drop bad data is
>> sufficient though there is nothing wrong with testing this the DOS itself.
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> security mailing list
>> security at lists.ntp.org
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the security