[ntp:security] Safety of machines behind firewalls in running pre 4.2.8

Danny Mayer mayer at pdmconsulting.net
Mon Dec 22 04:49:49 UTC 2014

On 12/20/2014 8:36 PM, Philip Gladstone wrote:
> On 12/20/14, 11:04, Brad Knowles wrote:
>> On Dec 19, 2014, at 11:22 PM, Philip Gladstone
>> <philip at gladstonefamily.net> wrote:
>>> In this case, the firewall will forward the attack packet through to
>>> the vulnerable server as it appears to be a response to a request
>>> that the server sent.
>> Isn’t this kind of attack possible for virtually every single
>> Internet service in existence?  Machine A chooses to contact Machine
>> B, and Machine B responds in a way that is malicious, but since
>> Machine A contacted it the response from Machine B is seen as a
>> legitimate reply?
>> Unless the firewall knows enough about each and every protocol that
>> passes through in order to sanitize all the packets and only allow the
>> known good ones through, I don’t see any way to resolve this issue.
>> And if you do go the route of requiring the firewall to have complete
>> and perfect knowledge of every single protocol and every single
>> implementation of said protocol, isn’t that a self-DoS?
> I think that the situation is different with NTP. In most cases, the
> client behind the firewall is contacting known systems. For example, an
> SSH client only talks to systems that you know and trust. With NTP, you
> are talking to *any* system in the POOL. I'm assuming (probably naively)
> that up to yesterday all of those systems were run by trustworthy
> organizations (does this include the NSA?). Today, if I was a black hat,
> I would be spinning up 50 servers (or 500) in some hosting provider,
> registering them all in the POOL and thereby get access to a bunch of
> machines behind firewalls.
> I agree that the firewall cannot be expected to filter out all malicious
> traffic -- if the organization is running IDS systems, then I would
> expect the signatures to be upgraded to check for this traffic.

No, that's not how ntp works. The ntp server behind the firewall sends a
mode 4 packet to the rogue server. The rogue server needs to return a
mode 3 packet. See RFC5905 Section 3. When the packet is received, if
it's not a valid packet it will get dropped. What are you expecting it
to do? What kind of packet is the rogue server going to send?


More information about the security mailing list