[ntp:security] [Bug 3110] Windos: ntpd DoS by oversized UDP packet

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri Sep 9 05:44:16 UTC 2016


Juergen Perlinger <perlinger at ntp.org> changed:

           What    |Removed                     |Added
           Priority|P5                          |P1
             Status|CONFIRMED                   |IN_PROGRESS
            Summary|test #1                     |Windos: ntpd DoS by
                   |                            |oversized UDP packet
         OS/Version|All                         |Windows 7
           Severity|enhancement                 |critical

--- Comment #1 from Juergen Perlinger <perlinger at ntp.org> 2016-09-09 05:44:16 UTC ---
Rober Pajak <robert.pajak at pl.abb.com> gave the following report:

In short: After sending messaged with optional field set, the NTP server stops

Testing environment:
- Windows 7 Ultimate Service Pack 1
- Meinberg NTP version: 4.2.8p8

Repro steps:

1. Application processed NTP request without extension field, from test tool
properly and gives a proper server response(packet number 102-103) - just to
check if everything is fine


2. Application received 6 NTP requests with extension field enabled from test
tool (104-113) but not responding - this so far acceptable according to the NTP


3. Test tool sent more NTP requests again without enabling extension field
(Packet number 114 to 134) and application is still not responding with a
proper server message - INPROPER BEHAVIOR


A pcap file and ntp configuration file are attached to this message.

NTP Event Log:


Please contact us if any more information is needed and also if we are doing
something wrong.


Analysis of the log file shows that ntpd does not deal well with partial reads
of UDP frames, which is a specialty of the Windows UDP implementation.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list