[ntp:hackers] i think it's time to review ntp's default acl's

Danny Mayer mayer at ntp.isc.org
Thu Mar 23 21:14:29 UTC 2006


Paul Vixie wrote:
> 
> can someone who knows ntpd's defaults say whether off-LAN queries will or
> will not be answered by default?
> 

As you know, like DNS, NTP was born in an era when everything was open
and you didn't worry about who was querying it. By default, NTP will
respond to anyone who asks, on or off-LAN. Can it be changed easily?
Yes. Will this cause confusion among sysadmins? of course.

> can someone who knows NTP say whether a normal response is larger than a
> normal query, and whether an error response is larger than a normal query,
> and whether there is any response at all to a malformed query?
> 

PHK's replied to most of this, but malformed queries are always
unceremoniously dropped.

Only mode 6 and mode 7 (control) packets are amplified as they return
information about the server. They can be easily restricted. We could
have that defaulted to localhost only.

> can someone who runs this software in production comment on the advisability
> of rate-limiting error-responses (if there are any), simulating "line loss"?
> 

There is ratelimiting built in and KOD packets are issued to abusers but
 they tend to get ignored by the clients most of whom don't know what a
KOD packet is. We have lots of examples of this, including systems
who've moved addresses and the queries actually increase to the old
address as a result! Abuse has become a major problem in NTP, but not
because of maliciousness, but mainly because of ignorance and ignoring
standards.

> i'm embarrassed to be asking these questions.  we're talking about putting
> bandaids on a sucking chest wound when we know the patient's going to die
> anyway.  but there it is.

You shouldn't, you can't possibly be an expert on everything. The real
question that comes up is how to we avoid this in the future?

Danny


More information about the hackers mailing list