IETF Logo Mail Archive

Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization

" tglassey@earthlink.net " <tglassey@earthlink.net> Thu, 06 June 2019 03:51 UTC

Return-Path: <tglassey@earthlink.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982BE120019 for <ntp@ietfa.amsl.com>; Wed, 5 Jun 2019 20:51:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.72
X-Spam-Level:
X-Spam-Status: No, score=-1.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=earthlink.net; domainkeys=pass (2048-bit key) header.from=tglassey@earthlink.net header.d=earthlink.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3_N2gdut8xL for <ntp@ietfa.amsl.com>; Wed, 5 Jun 2019 20:51:44 -0700 (PDT)
Received: from elasmtp-masked.atl.sa.earthlink.net (elasmtp-masked.atl.sa.earthlink.net [209.86.89.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ABB612001A for <ntp@ietf.org>; Wed, 5 Jun 2019 20:51:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=earthlink.net; s=dk12062016; t=1559793104; bh=2YixA2frjD0eC2sEcliwbN8tJSmfBss3P0T5 ervXGwE=; h=Received:To:From:Cc:Subject:Date:MIME-Version: Content-Type:Message-ID:X-ELNK-Trace:X-Originating-IP; b=qMvvX7r4d UtGJCwbd+ajdHmJGH5p10k6MAsc00EMi6r+MBYUeOzZvNZFsAPNSt0ilUtYV2aWf+wr RlLfKdrCBtrAUmsuGP6wE1qXeQKdTx1JNt8dUICmzEYhkH+nl/4tauVgykEPuiQrrdY hd915a382HV2/oaqdSBoBuC8qhUQxeStgjMdiqfkQpb3PZW4GO2yG11IHyybYO0uWcX vR1/z3WjinF/9f3BmA0dfe/T7ZttBy4VjxySArDLzcKd+UE+eXorR8WE2BsSvYAt79L 4NwXPVJt3tuBojwGPJS9Yauu0XdVYKUWmm+d0IAtQ5QcE9qZ4DRTxpAkEhyS5qqKg==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk12062016; d=earthlink.net; b=SOiX83u8V0nyJbJRm6KUm/2St8HCWHKybTmsjzLqk9TWikr+7wGfOnYLemTDwJti15CUpqzgTcIwO5lO7jDcvnWecWvASIfChyeiaidphxW16ApzVSFkS9tjyKDGo444D9gv3wVHeY/c/X9vsaw427gZSurvTXj6S0DsqIK4F1Ne4JqoL6/x957FdyruWHdPERoKSHkMvet5c3TEjfShdYhYzfWgMzF3tBpZsrxtKcbVonixJNS6TvzXclkkoLUiXi6Qwcpr14sJDWPbHP7MyxcGBPZ3FbVUnMLjSVIUAzCLBYjiuxn/x0Xmy8h8uItL3jrNqe645fPGx4PsNdzSmw==; h=Received:To:From:Cc:Subject:Date:MIME-Version:Content-Type:Message-ID:X-ELNK-Trace:X-Originating-IP;
Received: from [166.177.251.72] (helo=[10.17.19.198]) by elasmtp-masked.atl.sa.earthlink.net with esmtpa (Exim 4) (envelope-from <tglassey@earthlink.net>) id 1hYjR9-000FDr-K8; Wed, 05 Jun 2019 23:51:36 -0400
To: "Majdi S. Abbas" <msa@latt.net>, AskBjørn Hansen <ask@develooper.com>
From: "tglassey@earthlink.net" <tglassey@earthlink.net>
Cc: ntp@ietf.org, Danny Mayer <mayer@pdmconsulting.net>
Date: Thu, 06 Jun 2019 06:51:34 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_0_1559793094044"
Message-ID: <E1hYjR9-000FDr-K8@elasmtp-masked.atl.sa.earthlink.net>
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec79ff7dcd8c84750f57b8f69361dcf9ba89350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 166.177.251.72
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/2URA-_Za6_Nz4zZJoHHbu8VUo6I>
Subject: Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 03:51:48 -0000

Yes. PoC exists. It's run from intermediaries just like smtp spoofing is, and while arrogance wants to push this as very difficult it's not.

Sent from my HTC, so please excuse any typos.

----- Reply message -----
From: "Majdi S. Abbas" <msa@latt.net>
To: "AskBjørn Hansen" <ask@develooper.com>
Cc: <ntp@ietf.org>, "Danny Mayer" <mayer@pdmconsulting.net>
Subject: [Ntp] Details of the fragmentation attacks against NTP and port randomization
Date: Wed, Jun 5, 2019 19:09

On Wed, Jun 05, 2019 at 10:45:14AM +0800, Ask Bjørn Hansen wrote:
> This doesn’t seem right. There are much much less NTP servers in the 
> world than there are clients. Even an attacker wildly guessing will 
> have a limited scope of guessing (versus “every possible IP”).

You're still going to have to guess the entire set of servers
the client is using, get them to accept small fragmented packets, with
an invalid of zero checksum...and do this for a minimum of 8 poll 
intervals in order to fool the discipline filters.  So you have to 
correctly predict the timing, and try to send additional fragments...
while the host is still processing the UDP frame.

This does not appear to be anything but a very theoretical 
attack at this point -- does anyone have a proof of concept?

Additionally: Can anyone think of a reason an implementation
should accept an additional fragment if the MF bit was not set in the
first packet?  (Particularly an overlapping fragment, when we are not
expecting any fragments at all?)

And does that behavior exist in the wild?

Thanks,

--msa

_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email