Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
" tglassey@earthlink.net " <tglassey@earthlink.net> Thu, 06 June 2019 03:51 UTC
Return-Path: <tglassey@earthlink.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982BE120019 for <ntp@ietfa.amsl.com>; Wed, 5 Jun 2019 20:51:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.72
X-Spam-Level:
X-Spam-Status: No, score=-1.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=earthlink.net; domainkeys=pass (2048-bit key) header.from=tglassey@earthlink.net header.d=earthlink.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3_N2gdut8xL for <ntp@ietfa.amsl.com>; Wed, 5 Jun 2019 20:51:44 -0700 (PDT)
Received: from elasmtp-masked.atl.sa.earthlink.net (elasmtp-masked.atl.sa.earthlink.net [209.86.89.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ABB612001A for <ntp@ietf.org>; Wed, 5 Jun 2019 20:51:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=earthlink.net; s=dk12062016; t=1559793104; bh=2YixA2frjD0eC2sEcliwbN8tJSmfBss3P0T5 ervXGwE=; h=Received:To:From:Cc:Subject:Date:MIME-Version: Content-Type:Message-ID:X-ELNK-Trace:X-Originating-IP; b=qMvvX7r4d UtGJCwbd+ajdHmJGH5p10k6MAsc00EMi6r+MBYUeOzZvNZFsAPNSt0ilUtYV2aWf+wr RlLfKdrCBtrAUmsuGP6wE1qXeQKdTx1JNt8dUICmzEYhkH+nl/4tauVgykEPuiQrrdY hd915a382HV2/oaqdSBoBuC8qhUQxeStgjMdiqfkQpb3PZW4GO2yG11IHyybYO0uWcX vR1/z3WjinF/9f3BmA0dfe/T7ZttBy4VjxySArDLzcKd+UE+eXorR8WE2BsSvYAt79L 4NwXPVJt3tuBojwGPJS9Yauu0XdVYKUWmm+d0IAtQ5QcE9qZ4DRTxpAkEhyS5qqKg==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk12062016; d=earthlink.net; b=SOiX83u8V0nyJbJRm6KUm/2St8HCWHKybTmsjzLqk9TWikr+7wGfOnYLemTDwJti15CUpqzgTcIwO5lO7jDcvnWecWvASIfChyeiaidphxW16ApzVSFkS9tjyKDGo444D9gv3wVHeY/c/X9vsaw427gZSurvTXj6S0DsqIK4F1Ne4JqoL6/x957FdyruWHdPERoKSHkMvet5c3TEjfShdYhYzfWgMzF3tBpZsrxtKcbVonixJNS6TvzXclkkoLUiXi6Qwcpr14sJDWPbHP7MyxcGBPZ3FbVUnMLjSVIUAzCLBYjiuxn/x0Xmy8h8uItL3jrNqe645fPGx4PsNdzSmw==; h=Received:To:From:Cc:Subject:Date:MIME-Version:Content-Type:Message-ID:X-ELNK-Trace:X-Originating-IP;
Received: from [166.177.251.72] (helo=[10.17.19.198]) by elasmtp-masked.atl.sa.earthlink.net with esmtpa (Exim 4) (envelope-from <tglassey@earthlink.net>) id 1hYjR9-000FDr-K8; Wed, 05 Jun 2019 23:51:36 -0400
To: "Majdi S. Abbas" <msa@latt.net>, AskBjørn Hansen <ask@develooper.com>
From: "tglassey@earthlink.net" <tglassey@earthlink.net>
Cc: ntp@ietf.org, Danny Mayer <mayer@pdmconsulting.net>
Date: Thu, 06 Jun 2019 06:51:34 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_0_1559793094044"
Message-ID: <E1hYjR9-000FDr-K8@elasmtp-masked.atl.sa.earthlink.net>
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec79ff7dcd8c84750f57b8f69361dcf9ba89350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 166.177.251.72
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/2URA-_Za6_Nz4zZJoHHbu8VUo6I>
Subject: Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 03:51:48 -0000
Yes. PoC exists. It's run from intermediaries just like smtp spoofing is, and while arrogance wants to push this as very difficult it's not. Sent from my HTC, so please excuse any typos. ----- Reply message ----- From: "Majdi S. Abbas" <msa@latt.net> To: "AskBjørn Hansen" <ask@develooper.com> Cc: <ntp@ietf.org>, "Danny Mayer" <mayer@pdmconsulting.net> Subject: [Ntp] Details of the fragmentation attacks against NTP and port randomization Date: Wed, Jun 5, 2019 19:09 On Wed, Jun 05, 2019 at 10:45:14AM +0800, Ask Bjørn Hansen wrote: > This doesn’t seem right. There are much much less NTP servers in the > world than there are clients. Even an attacker wildly guessing will > have a limited scope of guessing (versus “every possible IP”). You're still going to have to guess the entire set of servers the client is using, get them to accept small fragmented packets, with an invalid of zero checksum...and do this for a minimum of 8 poll intervals in order to fool the discipline filters. So you have to correctly predict the timing, and try to send additional fragments... while the host is still processing the UDP frame. This does not appear to be anything but a very theoretical attack at this point -- does anyone have a proof of concept? Additionally: Can anyone think of a reason an implementation should accept an additional fragment if the MF bit was not set in the first packet? (Particularly an overlapping fragment, when we are not expecting any fragments at all?) And does that behavior exist in the wild? Thanks, --msa _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] Details of the fragmentation attacks agains… Watson Ladd
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Watson Ladd
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… tglassey@earthlink.net
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Ask Bjørn Hansen
- Re: [Ntp] Details of the fragmentation attacks ag… Warner Losh
- Re: [Ntp] Details of the fragmentation attacks ag… Tony Finch
- Re: [Ntp] Details of the fragmentation attacks ag… Watson Ladd
- Re: [Ntp] Details of the fragmentation attacks ag… Majdi S. Abbas
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Hal Murray
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… tglassey@earthlink.net
- Re: [Ntp] Details of the fragmentation attacks ag… Miroslav Lichvar
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Salz, Rich
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Watson Ladd
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Danny Mayer
- Re: [Ntp] Details of the fragmentation attacks ag… Warner Losh
- Re: [Ntp] Details of the fragmentation attacks ag… tglassey@earthlink.net
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… kristof.teichel
- Re: [Ntp] Details of the fragmentation attacks ag… Gary E. Miller
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Gary E. Miller
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- Re: [Ntp] Details of the fragmentation attacks ag… Gary E. Miller
- Re: [Ntp] Details of the fragmentation attacks ag… Fernando Gont
- [Ntp] Antw: Re: Details of the fragmentation atta… Ulrich Windl
- Re: [Ntp] Antw: Re: Details of the fragmentation … Fernando Gont