[ntp:security] Safety of machines behind firewalls in running pre 4.2.8

Philip Gladstone philip at gladstonefamily.net
Mon Dec 22 16:06:49 UTC 2014

On 12/21/14, 23:49, Danny Mayer wrote:
> On 12/20/2014 8:36 PM, Philip Gladstone wrote:
>> I think that the situation is different with NTP. In most cases, the
>> client behind the firewall is contacting known systems. For example, an
>> SSH client only talks to systems that you know and trust. With NTP, you
>> are talking to *any* system in the POOL. I'm assuming (probably naively)
>> that up to yesterday all of those systems were run by trustworthy
>> organizations (does this include the NSA?). Today, if I was a black hat,
>> I would be spinning up 50 servers (or 500) in some hosting provider,
>> registering them all in the POOL and thereby get access to a bunch of
>> machines behind firewalls.
>> I agree that the firewall cannot be expected to filter out all malicious
>> traffic -- if the organization is running IDS systems, then I would
>> expect the signatures to be upgraded to check for this traffic.
> No, that's not how ntp works. The ntp server behind the firewall sends a
> mode 4 packet to the rogue server. The rogue server needs to return a
> mode 3 packet. See RFC5905 Section 3. When the packet is received, if
> it's not a valid packet it will get dropped. What are you expecting it
> to do? What kind of packet is the rogue server going to send?
The rogue server can perform a query against the initiating client, and 
if that client has not been configured (restrict noquery), then 
(apparently) it can be exploited. The firewall will let this packet 
through (unless it deeply understands the NTP protocol).


More information about the security mailing list