[Ntp] DDoS meets NTP
Hal Murray <hmurray@megapathdsl.net> Mon, 19 April 2021 17:38 UTC
Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AC943A3C06 for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 10:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.608
X-Spam-Level: ***
X-Spam-Status: No, score=3.608 tagged_above=-999 required=5 tests=[HELO_DYNAMIC_IPADDR=3.243, RDNS_DYNAMIC=0.363, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AczcnD4tacBe for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 10:38:25 -0700 (PDT)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 99F203A3C02 for <ntp@ietf.org>; Mon, 19 Apr 2021 10:38:25 -0700 (PDT)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id CF68C40605C; Mon, 19 Apr 2021 10:38:23 -0700 (PDT)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: NTP WG <ntp@ietf.org>
cc: hmurray@megapathdsl.net
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Mon, 19 Apr 2021 13:09:20 +0200." <YH1k4ETzrUB0tVQt@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 19 Apr 2021 10:38:23 -0700
Message-Id: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/14DmHunAV56-7D5k1tYR7t0cP6s>
Subject: [Ntp] DDoS meets NTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 17:38:30 -0000
mlichvar@redhat.com said: > What is worse, it can be exploited for a DoS attack on real NTP clients if it > doesn't randomly let some packets through. How many is "some"? What fraction of the responses does a client need? Is this a solvable problem? If I let 1/N through, is there a value of N that lets through enough real replies without also letting through enough bogus traffic to make traditional DDoS practical? There is a horrible complication in this area: NAT. If there are X clients behind a NAT box, then that IP Address needs X times as much legitimate traffic. -------- One tool in this area is to have the NTS cookies tied to an IP Address. We discussed this a long time ago. Nobody was interested, but I've forgotten why. Maybe it was more important to allow laptops to keep using their cookies across migrations that change IP Addresses. We could make it an option. Then people with fixed addresses could turn it on and servers could have 2 modes of rate limiting. That doesn't help if the bad guy can capture traffic from the client. The server can't tell a replay from normal traffic. -------- Is there any group within IETF where DDoS discussions would be appropriate? -- These are my opinions. I hate spam.
- [Ntp] Protocol and Security Enhancements for the … David Mills
- [Ntp] Antw: [EXT] Protocol and Security Enhanceme… Ulrich Windl
- Re: [Ntp] Protocol and Security Enhancements for … Miroslav Lichvar
- Re: [Ntp] Protocol and Security Enhancements for … David L. Mills
- Re: [Ntp] Protocol and Security Enhancements for … Miroslav Lichvar
- Re: [Ntp] DDoS meets NTP Hal Murray
- [Ntp] DDoS meets NTP Hal Murray
- Re: [Ntp] DDoS meets NTP Daniel Franke
- Re: [Ntp] DDoS meets NTP Daniel Franke
- Re: [Ntp] DDoS meets NTP Danny Mayer
- [Ntp] Antw: [EXT] Re: DDoS meets NTP Ulrich Windl
- Re: [Ntp] DDoS meets NTP Miroslav Lichvar
- Re: [Ntp] [EXT] Re: DDoS meets NTP Daniel Franke
- Re: [Ntp] Protocol and Security Enhancements for … James Browning
- Re: [Ntp] Protocol and Security Enhancements for … David Mills