IETF Logo Mail Archive

Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT

Hal Murray <hmurray@megapathdsl.net> Tue, 08 December 2020 18:03 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD4AA3A107D for <ntp@ietfa.amsl.com>; Tue, 8 Dec 2020 10:03:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.146
X-Spam-Level: **
X-Spam-Status: No, score=2.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.999, HELO_DYNAMIC_IPADDR=1.951, PDS_RDNS_DYNAMIC_FP=0.001, PP_MIME_FAKE_ASCII_TEXT=0.11, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RaTPZos9sRbW for <ntp@ietfa.amsl.com>; Tue, 8 Dec 2020 10:03:55 -0800 (PST)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id C533A3A107C for <ntp@ietf.org>; Tue, 8 Dec 2020 10:03:55 -0800 (PST)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 111BB40605C; Tue, 8 Dec 2020 10:03:55 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: Philip Prindeville <philipp@redfish-solutions.com>
cc: Hal Murray <hmurray@megapathdsl.net>, ntp@ietf.org
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from Philip Prindeville <philipp@redfish-solutions.com> of "Tue, 08 Dec 2020 10:38:55 MST." <284E5B37-59C1-4E1E-ACD3-C131540ABEA9@redfish-solutions.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 08 Dec 2020 10:03:55 -0800
Message-Id: <20201208180355.111BB40605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/1fRJextoMmUVsoRWnXhWZYpq6nQ>
Subject: Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2020 18:03:57 -0000

philipp@redfish-solutions.com said:
> My point was that the address stuffed into the cookie/nonce would mismatch
> the address in the source address of the IP packet once it got SNAT’d.

> It sounded like you were tacitly counting on the two being a match. 

I think it works, but maybe I'm missing something.

Server behind NAT box:
  Server gets clients correct IP Address which goes into the cookie.
  When the cookie comes back, it has the same IP Address and matches.

Client behind NAT box:
  Server gets address of NAT box.  That goes into cookie.
  When the cookie comes back, it has the same address (NAT box) and matches.

Note that "IP Address" in the above does not include the port number.

I think the key idea is that both ends don't have to agree on what the IP 
Address is.  The server both inserts the IP Address into the cookie and checks 
it when the cookie comes back.  As long as the packet comes from the same NAT 
box things will match.

If there are multiple clients behind the NAT box, one of them could use his 
cookies to DoS another system behind the same NAT box.


-- 
These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email