Re: [ntpwg] Antw: Attackers use NTP reflection in huge DDoS attack
dieter.sibold@ptb.de Thu, 20 February 2014 20:29 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEFF31A0293 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Thu, 20 Feb 2014 12:29:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0sjzpRs9p92j for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Thu, 20 Feb 2014 12:29:49 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfa.amsl.com (Postfix) with ESMTP id 948F31A0299 for <ntp-archives-ahFae6za@lists.ietf.org>; Thu, 20 Feb 2014 12:29:47 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id 0749686D33D for <ntp-archives-ahFae6za@lists.ietf.org>; Thu, 20 Feb 2014 20:29:43 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 0E0C786D33D; Thu, 20 Feb 2014 16:29:02 +0000 (UTC)
Received: from mx1.bs.ptb.de ([192.53.103.106]) by mail1.ntp.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <dieter.sibold@ptb.de>) id 1WGWUY-000Ol5-6A; Thu, 20 Feb 2014 16:29:02 +0000
Received: from mx1.bs.ptb.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 02ED6D139D1; Thu, 20 Feb 2014 17:28:47 +0100 (CET)
Received: from rose.bs.ptb.de (rose.bs.ptb.de [141.25.85.201]) by mx1.bs.ptb.de (Postfix) with ESMTP id D60C2D1378A; Thu, 20 Feb 2014 17:28:46 +0100 (CET)
In-Reply-To: <52FF99BA.6040709@innovationslab.net>
References: <f269255720f044ebb52f6db0b9309a31@exrad6.ad.rad.co.il> <52FDDCED020000A1000145E5@gwsmtp1.uni-regensburg.de> <52FE3FDD.9040105@innovationslab.net> <52FECC6F.5070903@ntp.org> <52FF99BA.6040709@innovationslab.net>
X-KeepSent: 3B330A63:5C9D1D84-C1257C85:005A6E2F; type=4; name=$KeepSent
To: Brian Haberman <brian@innovationslab.net>
X-Mailer: IBM Notes Release 9.0.1 October 14, 2013
Message-ID: <OF3B330A63.5C9D1D84-ONC1257C85.005A6E2F-C1257C85.005A85BC@ptb.de>
From: dieter.sibold@ptb.de
Date: Thu, 20 Feb 2014 17:28:44 +0100
X-MIMETrack: Serialize by Router on ROSE/PTB(Release 9.0.1HF198 | January 23, 2014) at 02/20/2014 17:28:46
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 192.53.103.106
X-SA-Exim-Rcpt-To: ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org, ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: dieter.sibold@ptb.de
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Cc: ntpwg@lists.ntp.org, ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org
Subject: Re: [ntpwg] Antw: Attackers use NTP reflection in huge DDoS attack
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
I agree with Brian. I suppose a well written BCP should be very helpful for a lot of administrators. Regards Dieter ---------------------------------- Physikalisch-Technische Bundesanstalt Dr. Dieter Sibold Q.42 - Serversysteme und Datenhaltung QM-Verantwortlicher der Stelle IT-Infrastruktur Bundesallee 100 D-38116 Braunschweig Tel: +49-531-592-84 20 E-Mail: dieter.sibold@ptb.de Von: Brian Haberman <brian@innovationslab.net> An: ntpwg@lists.ntp.org Datum: 15.02.2014 19:35 Betreff: Re: [ntpwg] Antw: Attackers use NTP reflection in huge DDoS attack Gesendet von: ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org Hi Danny, On 2/14/14 9:09 PM, Danny Mayer wrote: > On 2/14/2014 11:10 AM, Brian Haberman wrote: >> A question for the group... >> >> Do we need to codify these (and maybe other) security guidelines in >> a BCP? >> >> Brian > > For this particular attack, I'm not so sure since they involve mode 7 > packets and as far as I know only the reference implementation from > ntp.org implements them as well as mode 6 packets which are also meant > as management tools. These packets are not well documented, > particularly mode 7 and I believe only mode 6 packets are documented > in RFC 1305 which has been obsoleted by RFC 5905. Correct. There is a draft in progress to document the mode 6 packets (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-02). > > Only mode 6 and mode 7 packets could be used in an amplification > attack as all the other types return just the same size packets as the > incoming ones. It may be worthwhile to discuss the security implications of the mode 6 & 7 packets (in case another implementation decides to support them). > > There is a general need for a BCP for NTP, partiucularly over things > like Rules of Engagement and KOD packets. Some the more well-known NTP > servers (like NIST and USNO) are overwhelmed with packets, hardware > manufacturers have hard-coded IP addresses of NTP servers, and some > software just bombards NTP servers with requests. > > So I think that my answer is in general yes, but not specifically > about this. Makes sense and is the reason for my parenthetical "and maybe other" in my initial question. I would like to see some WG effort put into this type of document. Regards, Brian [Anhang "signature.asc" gelöscht von Dieter Sibold/PTB] _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- Re: [ntpwg] Antw: Attackers use NTP reflection in… Brian Haberman
- Re: [ntpwg] Antw: Attackers use NTP reflection in… Danny Mayer
- [ntpwg] Attackers use NTP reflection in huge DDoS… Yaakov Stein
- [ntpwg] Antw: Attackers use NTP reflection in hug… Ulrich Windl
- Re: [ntpwg] Antw: Attackers use NTP reflection in… Brian Haberman
- Re: [ntpwg] Antw: Attackers use NTP reflection in… dieter.sibold
- Re: [ntpwg] Antw: Attackers use NTP reflection in… Steve Kostecke