[ntp:security] Safety of machines behind firewalls in running pre 4.2.8

Philip Gladstone philip at gladstonefamily.net
Sun Dec 21 01:36:10 UTC 2014


On 12/20/14, 11:04, Brad Knowles wrote:
> On Dec 19, 2014, at 11:22 PM, Philip Gladstone <philip at gladstonefamily.net> wrote:
>
>> In this case, the firewall will forward the attack packet through to the vulnerable server as it appears to be a response to a request that the server sent.
> Isn’t this kind of attack possible for virtually every single Internet service in existence?  Machine A chooses to contact Machine B, and Machine B responds in a way that is malicious, but since Machine A contacted it the response from Machine B is seen as a legitimate reply?
>
> Unless the firewall knows enough about each and every protocol that passes through in order to sanitize all the packets and only allow the known good ones through, I don’t see any way to resolve this issue.
>
> And if you do go the route of requiring the firewall to have complete and perfect knowledge of every single protocol and every single implementation of said protocol, isn’t that a self-DoS?
>
I think that the situation is different with NTP. In most cases, the 
client behind the firewall is contacting known systems. For example, an 
SSH client only talks to systems that you know and trust. With NTP, you 
are talking to *any* system in the POOL. I'm assuming (probably naively) 
that up to yesterday all of those systems were run by trustworthy 
organizations (does this include the NSA?). Today, if I was a black hat, 
I would be spinning up 50 servers (or 500) in some hosting provider, 
registering them all in the POOL and thereby get access to a bunch of 
machines behind firewalls.

I agree that the firewall cannot be expected to filter out all malicious 
traffic -- if the organization is running IDS systems, then I would 
expect the signatures to be upgraded to check for this traffic.

The implication is that every implementation of NTP needs to be upgraded 
-- even those behind firewalls.

Philip


More information about the security mailing list