[Ntp] DDoS meets NTP

Hal Murray <hmurray@megapathdsl.net> Mon, 19 April 2021 17:38 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AC943A3C06 for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 10:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.608
X-Spam-Level: ***
X-Spam-Status: No, score=3.608 tagged_above=-999 required=5 tests=[HELO_DYNAMIC_IPADDR=3.243, RDNS_DYNAMIC=0.363, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AczcnD4tacBe for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 10:38:25 -0700 (PDT)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 99F203A3C02 for <ntp@ietf.org>; Mon, 19 Apr 2021 10:38:25 -0700 (PDT)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id CF68C40605C; Mon, 19 Apr 2021 10:38:23 -0700 (PDT)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: NTP WG <ntp@ietf.org>
cc: hmurray@megapathdsl.net
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Mon, 19 Apr 2021 13:09:20 +0200." <YH1k4ETzrUB0tVQt@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 19 Apr 2021 10:38:23 -0700
Message-Id: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/14DmHunAV56-7D5k1tYR7t0cP6s>
Subject: [Ntp] DDoS meets NTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 17:38:30 -0000

mlichvar@redhat.com said:
> What is worse, it can be exploited for a DoS attack on real NTP clients if it
> doesn't randomly let some packets through. 

How many is "some"?  What fraction of the responses does a client need?

Is this a solvable problem?  If I let 1/N through, is there a value of N that 
lets through enough real replies without also letting through enough bogus 
traffic to make traditional DDoS practical?

There is a horrible complication in this area: NAT.  If there are X clients 
behind a NAT box, then that IP Address needs X times as much legitimate 
traffic.

--------

One tool in this area is to have the NTS cookies tied to an IP Address.  We 
discussed this a long time ago.  Nobody was interested, but I've forgotten 
why.  Maybe it was more important to allow laptops to keep using their cookies 
across migrations that change IP Addresses.

We could make it an option.  Then people with fixed addresses could turn it on 
and servers could have 2 modes of rate limiting.  That doesn't help if the bad 
guy can capture traffic from the client.  The server can't tell a replay from 
normal traffic.

--------

Is there any group within IETF where DDoS discussions would be appropriate?



-- 
These are my opinions.  I hate spam.