[ntp:security] Safety of machines behind firewalls in running pre 4.2.8

Danny Mayer mayer at ntp.org
Wed Dec 24 17:24:30 UTC 2014

On 12/22/2014 11:06 AM, Philip Gladstone wrote:
> On 12/21/14, 23:49, Danny Mayer wrote:
>> On 12/20/2014 8:36 PM, Philip Gladstone wrote:
>>> I think that the situation is different with NTP. In most cases, the
>>> client behind the firewall is contacting known systems. For example, an
>>> SSH client only talks to systems that you know and trust. With NTP, you
>>> are talking to *any* system in the POOL. I'm assuming (probably naively)
>>> that up to yesterday all of those systems were run by trustworthy
>>> organizations (does this include the NSA?). Today, if I was a black hat,
>>> I would be spinning up 50 servers (or 500) in some hosting provider,
>>> registering them all in the POOL and thereby get access to a bunch of
>>> machines behind firewalls.
>>> I agree that the firewall cannot be expected to filter out all malicious
>>> traffic -- if the organization is running IDS systems, then I would
>>> expect the signatures to be upgraded to check for this traffic.
>> No, that's not how ntp works. The ntp server behind the firewall sends a
>> mode 4 packet to the rogue server. The rogue server needs to return a
>> mode 3 packet. See RFC5905 Section 3. When the packet is received, if
>> it's not a valid packet it will get dropped. What are you expecting it
>> to do? What kind of packet is the rogue server going to send?
> The rogue server can perform a query against the initiating client, and
> if that client has not been configured (restrict noquery), then
> (apparently) it can be exploited. The firewall will let this packet
> through (unless it deeply understands the NTP protocol).

What you are proposing is that someone sets up a bunch of servers to add
to the pool, registers them including an email address where the admin
can be reached, gets bombarded with queries verifying good data,
followed by a large number of clients requesting time data and still
expects to be able to attack a server behind a firewall? Not only does
the attacker have a lot of work to do, but he or she leaves an email
trail. This is not a likely or practical scenario.


More information about the security mailing list