[ntp:security] [Bug 3071] test #1

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Jun 14 22:09:02 UTC 2016


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
           Priority|P5                          |P2
              Group|                            |Security
              Flags|                            |blocking4.2.8+
           Severity|enhancement                 |major

--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2016-06-14 22:09:02 UTC ---
When ntpd is configured with rate limiting (restrict limited in
ntp.conf), the limits are applied also to responses received from its
configured sources. An attacker who knows the sources (e.g. from refid
in server response) can periodically send packets with spoofed source
address to keep the rate limiting activated and prevent ntpd from
accepting valid responses from its sources.

While this rate limiting can be useful to prevent brute-force attacks
on the origin timestamp, it allows this DoS attack. Similarly, it
allows the attacker to prevent mobilization of ephemeral associations.

There are probably several ways how this can be fixed with different
drawbacks. One might be to move the check of the RES_LIMITED flag in
the receive() function after the findpeer() call and drop only packets
that don't match any existing association and can't mobilize a new
one, i.e. when retcode == AM_FXMIT.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list