IETF Logo Mail Archive

Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization

Ask Bjørn Hansen <ask@develooper.com> Wed, 05 June 2019 02:45 UTC

Return-Path: <ask@develooper.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EABC6120224 for <ntp@ietfa.amsl.com>; Tue, 4 Jun 2019 19:45:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0EA7FSAoKio for <ntp@ietfa.amsl.com>; Tue, 4 Jun 2019 19:45:44 -0700 (PDT)
Received: from mx-out1.ewr1.develooper.com (mx-out1.ewr1.develooper.com [139.178.64.59]) by ietfa.amsl.com (Postfix) with ESMTP id 66B7612003E for <ntp@ietf.org>; Tue, 4 Jun 2019 19:45:44 -0700 (PDT)
Received: from mbox1.develooper.com (unknown [147.75.38.211]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx-out1.ewr1.develooper.com (Postfix) with ESMTPS id 068666E0888 for <ntp@ietf.org>; Wed, 5 Jun 2019 02:45:44 +0000 (UTC)
Received: from mbox1.develooper.com (mbox1.develooper.com [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mbox1.develooper.com (Postfix) with ESMTPS id 5D1031760B3 for <ntp@ietf.org>; Tue, 4 Jun 2019 19:45:43 -0700 (PDT)
Received: (qmail 31726 invoked from network); 5 Jun 2019 02:45:42 -0000
Received: from unknown (HELO ?172.19.248.128?) (ask@mail.dev@38.98.37.137) by smtp.develooper.com with ESMTPA; 5 Jun 2019 02:45:42 -0000
From: Ask Bjørn Hansen <ask@develooper.com>
Message-Id: <E3F91EE1-4EE8-4D3C-95E9-135D1CB1DF8A@develooper.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_539FC461-A94B-408D-AC2D-4E9F2CC4699A"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3554.18.2\))
Date: Wed, 05 Jun 2019 10:45:14 +0800
In-Reply-To: <9f75e400-cf2f-053f-ed06-f4d6df415eaf@pdmconsulting.net>
Cc: ntp@ietf.org
To: Danny Mayer <mayer@pdmconsulting.net>
References: <CAN2QdAGS20q=7+r+qMFEBBu4gNmSDR9-vYDbvgC=ZnqWLEU-6w@mail.gmail.com> <739c2eaa-05f1-0b30-4b64-fc5d3f91ce5b@pdmconsulting.net> <a3a545cf-d83d-a2c7-ad6c-3e349de78615@si6networks.com> <9f75e400-cf2f-053f-ed06-f4d6df415eaf@pdmconsulting.net>
X-Mailer: Apple Mail (2.3554.18.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/2Sb6f9YARJdPbjo_4y5ZbeVpv6U>
Subject: Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2019 02:45:46 -0000


> On Jun 5, 2019, at 10:41 AM, Danny Mayer <mayer@pdmconsulting.net> wrote:
> 
> Furthermore the attacker doesn't know the server being used by the NTP client so the IP address of that server will be invalid as well. 

This doesn’t seem right. There are much much less NTP servers in the world than there are clients. Even an attacker wildly guessing will have a limited scope of guessing (versus “every possible IP”).


Ask

v2.23.0 | Report a Bug | By Email