[ntp:security] [Bug 2901] Clients that receive a KoD should validate the origin timestamp field.

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri Aug 28 03:18:31 UTC 2015


--- Comment #5 from Danny Mayer <mayer at ntp.org> 2015-08-28 03:18:31 UTC ---
(In reply to comment #4)
> There are clearly problems with any choice here.
> Majdi is right, it's possible to launch a DOS attack against a server by
> sending it a properly-chosen set of packets designed to throw off the clock and
> then send KoD packets to prevent the target from acquiring correct time from
> good servers.

Well not really. If you are properly set up you get multiple packets from
different servers and it's extremely hard for an attacker to do this to all of
them. In any case, for DENY or RSTR codes the recipient of a kiss code packet
is required to drop the association. For RATE it needs to reduce the frequency
of queries. 

For ALL cases the recipient is required to drop the packet. The values of the
timestamps cannot be used. I've had discussions with Dave Mills on some of this
and it is clear that this is the design of the kiss codes. Under NO
circumstances can the contents of the packets be used so even if there was a
DOS attack these packets could not be used for anything to set the clock.

The biggest worry has been the clients that abuse the upstream NTP servers
(this is especially a problem with government servers) and is far more
important and required than possible attack vectors.

> I'm now wondering about the situation where if the association is
> authenticated, we'd only believe a KoD packet from the server if it was
> similarly authenticated.

It doesn't matter, the packet needs to be dropped. 

> There are potential problems no matter what we do here.
> There are conflicting/complementary mechanism choices here.  We need to let
> folks make local policy choices.

The problem raised is more theoretical than real. Any change would be
detrimental to real live and busy systems.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list