Re: [Ntp] [EXT] Re: NTPv5 KISS code support

"Forrest Christian (List Account)" <lists@packetflux.com> Sun, 03 December 2023 13:21 UTC

Return-Path: <lists@packetflux.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13F48C14F615 for <ntp@ietfa.amsl.com>; Sun, 3 Dec 2023 05:21:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=packetflux-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Txe2Zxzw8-TO for <ntp@ietfa.amsl.com>; Sun, 3 Dec 2023 05:21:29 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE0EC14F5E6 for <ntp@ietf.org>; Sun, 3 Dec 2023 05:21:29 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id 5b1f17b1804b1-40bd5eaa66eso15223395e9.3 for <ntp@ietf.org>; Sun, 03 Dec 2023 05:21:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetflux-com.20230601.gappssmtp.com; s=20230601; t=1701609687; x=1702214487; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=m1wyYOMYcFWwHSbO2FZp8zf8uyTWrwB4dITs1X0ywVg=; b=e9W/z2NWzQhO5GqN/M/Sx84f0NaNjYdFZxf7qDWHV87+nZYIIb7Br4NMWoCblBXFQ3 ZDXX6ae7CuIk5SBwuQfqy/ustbPukyOuN9nqnlW6WCdrTfsU3GEpitydZUnRZuBsrXQz hyOTT/bG9tuTnog64mDTH7kes2EkQ1SNT1qbTUT7Xed/6SR60l6+ysCggXPvtKzDHrBj MUDsAAtbbgj5oEy4SJ5M4MNtfw0JWNmsnkS07klW4i0KtU4ktNQf/pDh5EemJzwRS7gQ eNR+b/RWT6NPwNSeLL8mYAve7E4BFkXJvAxv5CfIuYipEhb/gHndGqW6aE1QpYoghjLE a5Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701609687; x=1702214487; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=m1wyYOMYcFWwHSbO2FZp8zf8uyTWrwB4dITs1X0ywVg=; b=DSq9OWJ5PQYpvUO2SzUmSsPdFOAuJyNJ94bLSNyVSBMyq8NhyckY3AQ5vggHC1TebL RF1dFal0x4w4jAu3b63Dus/DPPXDEtadvSpGKQivrpHLSaGUcCeFmP5nPUszDeFlBUyX Bapvtb7di2gmrO2ETO9pndUVaNnQNSFzFuQOkFubK/LGdRrqs8mPG6HdHqP2ghds/gHo MPAPDsA/V0KQCfVFbBh86QhJp9op/eHcbyw87D4OWPjshr5tHD30yL+Nq8bthKeGuSgZ kHNlHUsQz8y9dRmTaFSoU4jjZGyaMQSIf8d7NsiF4Hb2d7KovyxtBeHkSqpvlDsW21QX SZDA==
X-Gm-Message-State: AOJu0YxDludM28cvHFRrwAcN8AcHby/yEkMEv4PSgSav5fCVzuxDZ4jh uDPH+v4fI14QIu5KDV8FtIOkZiVWrW8mCkKr5AhKxQ==
X-Google-Smtp-Source: AGHT+IFB8KtQV9oFTpHDg5OnkUroJ/HtdngTVHKs+/ax7T/o235zZY5ZPciajW52gfbDUJWgqm9+Tbcsq5gtcedG7jo=
X-Received: by 2002:a05:600c:4593:b0:409:79cb:81a3 with SMTP id r19-20020a05600c459300b0040979cb81a3mr1749468wmo.30.1701609687289; Sun, 03 Dec 2023 05:21:27 -0800 (PST)
MIME-Version: 1.0
References: <dfoxfranke@gmail.com> <CAJm83bByex7nox2YJAnC2bkGxHS-f2BEWphpiDS+idbh+2bVGQ@mail.gmail.com> <20231201220934.C32B528C1C3@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20231201220934.C32B528C1C3@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: "Forrest Christian (List Account)" <lists@packetflux.com>
Date: Sun, 03 Dec 2023 06:21:15 -0700
Message-ID: <CAKsZx=2UtheNXwL0r4FitPN7nCdyt4=sHcYBPnu8V5SJC5HSww@mail.gmail.com>
To: Hal Murray <halmurray+ietf@sonic.net>
Cc: Daniel Franke <dfoxfranke@gmail.com>, NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f521aa060b9ae019"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/7mJnsHm6N2cYbXQrl4qD2BbfJKU>
Subject: Re: [Ntp] [EXT] Re: NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Dec 2023 13:21:30 -0000

On Fri, Dec 1, 2023, 3:09 PM Hal Murray <halmurray+ietf@sonic.net> wrote:

> I'd like to understand why reflection without amplification is not a
> problem.
>
...

> Is it simple technology/economics?  The bad guys have cheaper ways to
> generate
> traffic?
>

Without amplification,  reflection does not help you generate traffic
volume.

How amplification works is that you send a small packet with a forged
source address to a server which is known to respond with a much larger
packet.   DNS is a good example of this.. your query might be a few bytes
containing a query like "give me all the records for example.com" and the
DNS server will reply with a much larger packet that has all the records
included.  With the forged source address, this larger response will go to
the destination pointed at by the forged source address, thus allowing a
relatively small stream of packets bandwidth-wise to generate a much larger
stream of packets toward the desired destination.

Note that without amplification the main benefit of doing reflection
doesn't exist. It doesn't make a lot of sense to bounce a flow off of a
remote server when you could get the exact same results by sending the
packets directly.


> Are botnets cheap enough that there is no need to hide by using reflection
> without amplicication?
>

You don't need to use reflection to hide..  just forge the source address
of the packets.

I could come up with some contrived edge cases that reflection without
amplification might be useful, but all of the situations that I can think
of right now are much easier to accomplish in other ways.

>