IETF Logo Mail Archive

Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization

" tglassey@earthlink.net " <tglassey@earthlink.net> Tue, 04 June 2019 17:08 UTC

Return-Path: <tglassey@earthlink.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A698F120168 for <ntp@ietfa.amsl.com>; Tue, 4 Jun 2019 10:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.135
X-Spam-Level:
X-Spam-Status: No, score=-2.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.415, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=earthlink.net; domainkeys=pass (2048-bit key) header.from=tglassey@earthlink.net header.d=earthlink.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TKyWZ2HvdgG for <ntp@ietfa.amsl.com>; Tue, 4 Jun 2019 10:08:16 -0700 (PDT)
Received: from elasmtp-mealy.atl.sa.earthlink.net (elasmtp-mealy.atl.sa.earthlink.net [209.86.89.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 085C0120152 for <ntp@ietf.org>; Tue, 4 Jun 2019 10:08:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=earthlink.net; s=dk12062016; t=1559668088; bh=wHstUh9toKxT/pt7Dd1q0z1XQLd5QBCsGGS5 c1pDZlc=; h=Received:To:From:Subject:Date:MIME-Version:Content-Type: Message-ID:X-ELNK-Trace:X-Originating-IP; b=Q3LPNqhOQJW/EXdFbTBDOS pd4sWDDujDIWucC7lycy5R4lWIvbeVPTpXpYxXNVxm25/OhH6Ug8thX31GsAB5+KOWX yJRJTxdYzywqKKGWWh3idGS1Icsz6pgJGaF6PCkVTIFoAXGiJvsrr3pf61B4OTTYSsP 9qXP0O4EkLw5od7qljmn3DXojukTP9NInMzOtigj3wYvepcDckprbD49YZNIl6lZ6hS 2hjGv4SHHg67ceFfDBCRe7ejVGIj6vOE4j1TVXE9YQamqDvAFaDGicBFnElGCog6155 7K1RkB3f4uSRYFdJ4EjJRDqd4YXUSH5QsGL5aEill37lyKPnUNAg==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk12062016; d=earthlink.net; b=Cr3k7TN5/eUK80jYAblhKqCgerev2WMiYzm+Kvlz528vm9acrimbflza9UDKscR2R25I5LOKX8ir4Ms/6WSXXDSLa5cizUPC4AZHpjYacWAqYwHpQIE4Zhw3L+gn4u7LhFgL3DtD1MgHh9KET4dkDH4Az7hWxVhs7LsGUHFYhwe8F/+1uFoyJ0KM0E+AF500o3ehAjgQA+2gIifY1jOYt8L1b1gg7PTGEcqw53JL/0n1Fvpsoirir5UkMc0syIOeHXA1YsVUKsJCsbE8ffH39WEr6lzvHHnqSYMSd7qlvUx9ZG3cJPJb3GTUDB1K4bmRxTjuCboYs4X0KII467P+qg==; h=Received:To:From:Subject:Date:MIME-Version:Content-Type:Message-ID:X-ELNK-Trace:X-Originating-IP;
Received: from [166.177.249.164] (helo=[10.202.91.224]) by elasmtp-mealy.atl.sa.earthlink.net with esmtpa (Exim 4) (envelope-from <tglassey@earthlink.net>) id 1hYCur-000Gac-Kr; Tue, 04 Jun 2019 13:08:06 -0400
To: Watson Ladd <watson=40cloudflare.com@dmarc.ietf.org>, NTP WG <ntp@ietf.org>
From: "tglassey@earthlink.net" <tglassey@earthlink.net>
Date: Tue, 04 Jun 2019 20:08:04 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_0_1559668084610"
Message-ID: <E1hYCur-000Gac-Kr@elasmtp-mealy.atl.sa.earthlink.net>
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec79a6a8ec65e2b47d5be2304688b6dafa25350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 166.177.249.164
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Io7bNyKLeXLCiaad8WotNhUq6DI>
Subject: Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2019 17:08:31 -0000

Absolutely

Sent from my HTC, so please excuse any typos.

----- Reply message -----
From: "Watson Ladd" <watson=40cloudflare.com@dmarc.ietf.org>
To: "NTP WG" <ntp@ietf.org>
Subject: [Ntp] Details of the fragmentation attacks against NTP and port randomization
Date: Mon, Jun 3, 2019 21:24

Dear all,

The debate over client port randomization is missing an important
fact: off-path attacks against NTP are not prevented by the origin
timestamp due to the OS handling of fragmentation. In
http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf we see that sending
a properly crafted IP fragment can selectively overwrite NTP packets,
thus allowing an attacker to modify received data without overwriting
the origin timestamp. I would recommend we adopt port randomization
to handle this problem.

Sincerely,
Watson Ladd

_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email