[ntp:security] Safety of machines behind firewalls in running pre 4.2.8

Philip Gladstone philip at gladstonefamily.net
Sat Dec 20 05:22:41 UTC 2014

I suspect that a sufficiently motivated attacker can attack machines 
(e.g. desktop systems) behind firewalls if they are running a pre-4.2.8 
version of ntpd.

The approach is as follows:

* Bad guy adds server into pool.ntp.org and claims 1Gb bandwidth
* Bad guy's machine gets lots of traffic, including traffic from 
vulnerable servers behind firewalls.
* Bad guy can now send the attack packets just after getting requests 
from the vulnerable servers.

In this case, the firewall will forward the attack packet through to the 
vulnerable server as it appears to be a response to a request that the 
server sent.

I have pinged Ask to request that he be on the lookout for new servers 
being registered....

I don't think that there is anything that you can do about this, but it 
makes me even more nervous....

Been playing with NTP since 1991.

More information about the security mailing list