Re: [Ntp] DDoS meets NTP
Daniel Franke <dfoxfranke@gmail.com> Mon, 19 April 2021 18:04 UTC
Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFBB43A3D16 for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 11:04:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HH_cNZrPli46 for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 11:04:53 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C9053A3D15 for <ntp@ietf.org>; Mon, 19 Apr 2021 11:04:53 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id g16so1322248plq.3 for <ntp@ietf.org>; Mon, 19 Apr 2021 11:04:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zGdQZ/GMeobmgJuwcubZXXOm0v5YNzpIdW7gic11XiU=; b=n0WGjyJk2sel2CxjzPmRZ223pI/HtIKoGpvsgcH7WdPcwjiYKBl2VjSWZhO4R9i2wr 6gL7JMsTQQbCjIfKCHWi+ozx2wbZ4wixs8OO7bj09vJdyckTTYAsD9+c5dUmP40iBE+1 zk62+POY1UqaJM/TwCr38o7dWJ1vzx2gewgbxkjtnNvpYuOxstV747hN+VK6IoZs0IEc 6ORx4oBiieo0NNVb+aYAqLkDbBhA5ZvqUbB1edK3e/AxmjNEiGeXRIDpXKyz4vYie/92 hSK0yiS3N1vn36udRCTfLrtaxoLaO5wFuZKMkzrMLdJ5jTtgTR9PMP96PNHZHXd7pDiw h3Mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zGdQZ/GMeobmgJuwcubZXXOm0v5YNzpIdW7gic11XiU=; b=pWwRek0A1Ou3D3NVIfEZjl5NystgQthvBzExNVwKWgO9hb3sJjeSomVSP3zjxr0Vuk f1zU3Z/8exNAhHKsId0wQnC9pq4MKo6+H/6GccmNakbrc5yPKiCyrVQZR0o+tn9b7TaB kqKk7A23US5ABi8HYVlVjdlOasGtltHLDentE8ZVtGcY5YsL+8P78vk3hTtxkhkP4lpL J//l3T4bX1/+ctetKC7qyO0pLHLoNpaKXefILOYxdDEDT8aRp2f4JXGHjqpBVvz9gOWC fAPvbaNJhESFwyB0kwoSNJ3EgZMRDEYVzNgOvW5DzfGgX8MFdbtqlWI1PPGhdgE51+3v sHlw==
X-Gm-Message-State: AOAM532lA320lOazuVmLD7rbHkl0xAQezMiEZ0ZEQ+BshLINU4NxmGpZ +8Qmxw1cdYjRupMXx89zcjPU1kCW+lKLey6BI3zBKJIgWVs=
X-Google-Smtp-Source: ABdhPJzWb1Ctd1ARoCEVciF+EWfTCUO6IPpVqV3uOzCax2VK8DKC4470F+mnE7hWNAxyCVO3sE5jL4Nfxcl7lWQTAAU=
X-Received: by 2002:a17:90a:4b4e:: with SMTP id o14mr317252pjl.199.1618855491954; Mon, 19 Apr 2021 11:04:51 -0700 (PDT)
MIME-Version: 1.0
References: <mlichvar@redhat.com> <YH1k4ETzrUB0tVQt@localhost> <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net>
In-Reply-To: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Mon, 19 Apr 2021 14:04:41 -0400
Message-ID: <CAJm83bDzve+x7zxtp-g4+RmkbQ8_rBkainOXCim-q37W=7borg@mail.gmail.com>
To: Hal Murray <hmurray@megapathdsl.net>
Cc: NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008a6d8c05c0572af3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/JYOslw7wbWKrBXqfdgqmXd99jm8>
Subject: Re: [Ntp] DDoS meets NTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 18:04:58 -0000
On Mon, Apr 19, 2021 at 1:38 PM Hal Murray <hmurray@megapathdsl.net> wrote: > > Is this a solvable problem? If I let 1/N through, is there a value of N > that > lets through enough real replies without also letting through enough bogus > traffic to make traditional DDoS practical? > No. A client will treat a server as unreachable after 8 dropped replies, so an attacker can DoS a client by sending spoofed packets at the rate limit plus eight times the client's burst interval, which at conventional rate limits is an absolutely trivial amount of traffic. Trying to rate-limit NTP is just absolutely counterproductive no matter how you approach it. The way to make NTP DDoS-resilient is to spec your server with enough CPU to keep up with requests coming in at the full capacity of your network link. Do this, and attackers will achieve no more by hammering you with NTP requests than by hammering you with random garbage.
- [Ntp] Protocol and Security Enhancements for the … David Mills
- [Ntp] Antw: [EXT] Protocol and Security Enhanceme… Ulrich Windl
- Re: [Ntp] Protocol and Security Enhancements for … Miroslav Lichvar
- Re: [Ntp] Protocol and Security Enhancements for … David L. Mills
- Re: [Ntp] Protocol and Security Enhancements for … Miroslav Lichvar
- Re: [Ntp] DDoS meets NTP Hal Murray
- [Ntp] DDoS meets NTP Hal Murray
- Re: [Ntp] DDoS meets NTP Daniel Franke
- Re: [Ntp] DDoS meets NTP Daniel Franke
- Re: [Ntp] DDoS meets NTP Danny Mayer
- [Ntp] Antw: [EXT] Re: DDoS meets NTP Ulrich Windl
- Re: [Ntp] DDoS meets NTP Miroslav Lichvar
- Re: [Ntp] [EXT] Re: DDoS meets NTP Daniel Franke
- Re: [Ntp] Protocol and Security Enhancements for … James Browning
- Re: [Ntp] Protocol and Security Enhancements for … David Mills