Re: [Ntp] [EXT] Re: NTPv5 KISS code support
"Forrest Christian (List Account)" <lists@packetflux.com> Sun, 03 December 2023 13:21 UTC
Return-Path: <lists@packetflux.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13F48C14F615 for <ntp@ietfa.amsl.com>; Sun, 3 Dec 2023 05:21:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=packetflux-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Txe2Zxzw8-TO for <ntp@ietfa.amsl.com>; Sun, 3 Dec 2023 05:21:29 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE0EC14F5E6 for <ntp@ietf.org>; Sun, 3 Dec 2023 05:21:29 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id 5b1f17b1804b1-40bd5eaa66eso15223395e9.3 for <ntp@ietf.org>; Sun, 03 Dec 2023 05:21:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetflux-com.20230601.gappssmtp.com; s=20230601; t=1701609687; x=1702214487; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=m1wyYOMYcFWwHSbO2FZp8zf8uyTWrwB4dITs1X0ywVg=; b=e9W/z2NWzQhO5GqN/M/Sx84f0NaNjYdFZxf7qDWHV87+nZYIIb7Br4NMWoCblBXFQ3 ZDXX6ae7CuIk5SBwuQfqy/ustbPukyOuN9nqnlW6WCdrTfsU3GEpitydZUnRZuBsrXQz hyOTT/bG9tuTnog64mDTH7kes2EkQ1SNT1qbTUT7Xed/6SR60l6+ysCggXPvtKzDHrBj MUDsAAtbbgj5oEy4SJ5M4MNtfw0JWNmsnkS07klW4i0KtU4ktNQf/pDh5EemJzwRS7gQ eNR+b/RWT6NPwNSeLL8mYAve7E4BFkXJvAxv5CfIuYipEhb/gHndGqW6aE1QpYoghjLE a5Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701609687; x=1702214487; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=m1wyYOMYcFWwHSbO2FZp8zf8uyTWrwB4dITs1X0ywVg=; b=DSq9OWJ5PQYpvUO2SzUmSsPdFOAuJyNJ94bLSNyVSBMyq8NhyckY3AQ5vggHC1TebL RF1dFal0x4w4jAu3b63Dus/DPPXDEtadvSpGKQivrpHLSaGUcCeFmP5nPUszDeFlBUyX Bapvtb7di2gmrO2ETO9pndUVaNnQNSFzFuQOkFubK/LGdRrqs8mPG6HdHqP2ghds/gHo MPAPDsA/V0KQCfVFbBh86QhJp9op/eHcbyw87D4OWPjshr5tHD30yL+Nq8bthKeGuSgZ kHNlHUsQz8y9dRmTaFSoU4jjZGyaMQSIf8d7NsiF4Hb2d7KovyxtBeHkSqpvlDsW21QX SZDA==
X-Gm-Message-State: AOJu0YxDludM28cvHFRrwAcN8AcHby/yEkMEv4PSgSav5fCVzuxDZ4jh uDPH+v4fI14QIu5KDV8FtIOkZiVWrW8mCkKr5AhKxQ==
X-Google-Smtp-Source: AGHT+IFB8KtQV9oFTpHDg5OnkUroJ/HtdngTVHKs+/ax7T/o235zZY5ZPciajW52gfbDUJWgqm9+Tbcsq5gtcedG7jo=
X-Received: by 2002:a05:600c:4593:b0:409:79cb:81a3 with SMTP id r19-20020a05600c459300b0040979cb81a3mr1749468wmo.30.1701609687289; Sun, 03 Dec 2023 05:21:27 -0800 (PST)
MIME-Version: 1.0
References: <dfoxfranke@gmail.com> <CAJm83bByex7nox2YJAnC2bkGxHS-f2BEWphpiDS+idbh+2bVGQ@mail.gmail.com> <20231201220934.C32B528C1C3@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20231201220934.C32B528C1C3@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: "Forrest Christian (List Account)" <lists@packetflux.com>
Date: Sun, 03 Dec 2023 06:21:15 -0700
Message-ID: <CAKsZx=2UtheNXwL0r4FitPN7nCdyt4=sHcYBPnu8V5SJC5HSww@mail.gmail.com>
To: Hal Murray <halmurray+ietf@sonic.net>
Cc: Daniel Franke <dfoxfranke@gmail.com>, NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f521aa060b9ae019"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/7mJnsHm6N2cYbXQrl4qD2BbfJKU>
Subject: Re: [Ntp] [EXT] Re: NTPv5 KISS code support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Dec 2023 13:21:30 -0000
On Fri, Dec 1, 2023, 3:09 PM Hal Murray <halmurray+ietf@sonic.net> wrote: > I'd like to understand why reflection without amplification is not a > problem. > ... > Is it simple technology/economics? The bad guys have cheaper ways to > generate > traffic? > Without amplification, reflection does not help you generate traffic volume. How amplification works is that you send a small packet with a forged source address to a server which is known to respond with a much larger packet. DNS is a good example of this.. your query might be a few bytes containing a query like "give me all the records for example.com" and the DNS server will reply with a much larger packet that has all the records included. With the forged source address, this larger response will go to the destination pointed at by the forged source address, thus allowing a relatively small stream of packets bandwidth-wise to generate a much larger stream of packets toward the desired destination. Note that without amplification the main benefit of doing reflection doesn't exist. It doesn't make a lot of sense to bounce a flow off of a remote server when you could get the exact same results by sending the packets directly. > Are botnets cheap enough that there is no need to hide by using reflection > without amplicication? > You don't need to use reflection to hide.. just forge the source address of the packets. I could come up with some contrived edge cases that reflection without amplification might be useful, but all of the situations that I can think of right now are much easier to accomplish in other ways. >
- [Ntp] NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] KISS => NAT => Rate limiting Windl, Ulrich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Ira McDonald
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- [Ntp] KISS => NAT => Rate limiting Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Daniel Franke
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support David Venhoek
- [Ntp] Rate limiting/reflection prevention (Was: N… David Venhoek
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Miroslav Lichvar
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Salz, Rich
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Windl, Ulrich
- Re: [Ntp] [EXT] Re: Re: NTPv5 KISS code support Danny Mayer
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Hal Murray
- Re: [Ntp] [EXT] Re: NTPv5 KISS code support Forrest Christian (List Account)