[Pool] BCP38 and mitigating NTP DDoS attacks

Jim Reid ntp-pool at rfc1035.net
Tue Feb 11 17:47:26 UTC 2014


On 11 Feb 2014, at 16:58, Rob Janssen <rob at knoware.nl> wrote:

> The problem is not NTP, the problem is the lack of source address filtering.

+1. However BCP38 was written almost 15 years ago and is still not universally deployed. It probably never will because the optics are all wrong from a business perspective: an ISP incurs costs which benefit the rest of the world more than it benefits the ISP or its customers.

It looks like this list might be about to rehash the discussions that have been taking place on too many DNS lists for over 2 years now. [Quick history lesson: important DNS servers have been on the receiving end of DDoS attacks with spoofed UDP source addresses long before NTP got targeted.] Before we have a repeat of that discussion here, please read this:

http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/

OK it's about DNS, not NTP. However it's the same attack vector and some of the approaches that new-ish DNS software have taken should be worth considering for NTP servers.

> I propose that the existance of an ISP without source address filtering is handled by
> a reputation system similar to what was brought in place to bring down open SMTP relays,
> another thing that was once a common practice and that needed to be shut down
> because they were being abused by miscreants.

You might as well propose to end poverty by giving everyone in the world enough money.

Widespread uptake of source address filtering is just not going to happen. Get over it. I wish it was otherwise. So let's think about what else can be done. Paul Vixie's article above points the way towards application-level (ie ntpd) defences as part of the solution. It also explains why source address filtering/validation isn't going to be the silver bullet we'd all like/hope it to be.

Here's a straw-man suggestion. NTP over TCP would be the only option for public time servers on the Internet. An ISP could stop outbound UDP/123 at its edge routers and only let its own "trusted" clocks speak TCP/123 to the outside. For bonus points, it could return valid timestamp replies (albeit with faked source addresses maybe) to internal UDP clients that try to go outside. Says he hand-waving.

> Just disconnect every provider that refuses to set up source address filtering until
> they give in.  No source address filtering?  No traffic from you. Period.

I wonder just how long that will last when your boss can't get to his/her favourite web site with kitten pictures. :-)

It would be great if Facebook or google did source address filtering/validation. That would provide a huge incentive to ISPs to get their act together wrt BCP38. But suppose you're in charge at Facebook. Why would you do something that pisses off your customers, puts customer support into meltdown and upsets the advertisers whenever huge numbers of end users get cut off because they're on ISPs who can't or won't do source address filtering/validation any time soon?



More information about the pool mailing list