[ntp:security] [Bug 3114] Broadcast Mode Replay Prevention DoS

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Nov 15 14:59:48 UTC 2016


http://bugs.ntp.org/show_bug.cgi?id=3114

--- Comment #29 from Matthew Van Gundy <mvangund at cisco.com> 2016-11-15 14:59:48 UTC ---
(In reply to comment #28)
> Hi Matt,
> 
> Sure, but that means you don't have any sort of protection from bogus packets
> entering your network.
> 
> How is this considered "normal" or "acceptable" practice?
> 
> If the attacker is spoofing the source address of the real broadcast server on
> the broadcast network that's the Adjacent network, as I scored it.

Hi Harlan,

I agree that preventing this sort of IP spoofing is a best practice, but I was
under the impression that it is not commonly followed.  Linux's reverse path
filter does this by default on modern systems, but whether strict uRPF is
commonly enabled on enterprise networking gear is a different question.

I double checked with some network admins that I know who have done consulting
work on a variety of networks.  They confirmed that preventing ingress of
packets with source addresses on the destination subnet is a "good, but not
common, practice" and that, in their experience, only a minority of enterprise
networks enable strict uRPF.

Matt

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list