Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)

"Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de> Wed, 29 May 2019 10:13 UTC

Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D5FC12008C for <ntp@ietfa.amsl.com>; Wed, 29 May 2019 03:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCrG6Zeu9Xcl for <ntp@ietfa.amsl.com>; Wed, 29 May 2019 03:13:49 -0700 (PDT)
Received: from mx3.uni-regensburg.de (mx3.uni-regensburg.de [IPv6:2001:638:a05:137:165:0:4:4e79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 351E712006A for <ntp@ietf.org>; Wed, 29 May 2019 03:13:49 -0700 (PDT)
Received: from mx3.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id EA547600005B for <ntp@ietf.org>; Wed, 29 May 2019 12:13:46 +0200 (CEST)
Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by mx3.uni-regensburg.de (Postfix) with ESMTP id CD20E6000059 for <ntp@ietf.org>; Wed, 29 May 2019 12:13:46 +0200 (CEST)
Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Wed, 29 May 2019 12:13:46 +0200
Message-Id: <5CEE5B59020000A1000317FE@gwsmtp.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.1.1
Date: Wed, 29 May 2019 12:13:45 +0200
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
To: "ntp@ietf.org" <ntp@ietf.org>,<stenn@nwtime.org>
References: <155841904754.12856.3727925672753047210.idtracker@ietfa.amsl.com> <9d21f083-4cba-1dd1-f5bb-c95984d3127b@si6networks.com> <9d74c6e3-244e-fdd7-184a-0572f4f144cd@ntp.org> <25275d68-8c18-1616-f226-dffe7e21091e@si6networks.com> <20190528174208.11253a67@rellim.com> <1a133133-5d6a-ca96-6c15-73e6933baffc@si6networks.com> <2794A95B-B118-40BD-AD60-DCB50CC32717@latt.net> <f03dbfbd-007a-fa81-f846-85079a59dddd@si6networks.com> <c4384ecc-2711-3479-df21-d6533f438418@ntp.org> <5CEE4B90020000A1000317F4@gwsmtp.uni-regensburg.de> <5CEE4B90020000A1000317F4@gwsmtp.uni*regensburg.de> <9418bd6d-a830-311f-2392-02999df3c153@nwtime.org> <5CEE5344020000A1000317F9@gwsmtp.uni-regensburg.de> <92e2c1f9-a745-c182-6194-c7ce819c8a3c@nwtime.org>
In-Reply-To: <92e2c1f9-a745-c182-6194-c7ce819c8a3c@nwtime.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/ZLj7-Y19AWc3vDkPkAb84_N04eI>
Subject: Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 10:13:51 -0000

>>> Harlan Stenn <stenn@nwtime.org> schrieb am 29.05.2019 um 12:02 in Nachricht
<92e2c1f9-a745-c182-6194-c7ce819c8a3c@nwtime.org>rg>:


[...]
> That also assumes the client has the correct time.  If somebody is using
> SNTP, this assumption may be wrong, and the client's time could well be
> off by much more.  At 33 bits, we're talking about 2 seconds.  If the
> client might be off by 4-8 minutes then we're talking about 41 bits.

Do you really think someone planning to attack NTP will start with a clock that is  minutes off the correct time?

> 
>>>
>>> And remember that:
>>>
>>> - the window of time where an attack is possible starts when the client
>>>   sends its request, and ends when a valid response is received.
>> 
>> An attacker will probably "spray" attacking packets.
> 
> OK, so what?  Low end normal machines might handle 2k packets/second,
> and low end slow machines are lucky to be able to handle 200 packets per
> second.

It there a difference between the client being overloaded with attack packets that are "wrong" or attack packets that are "correct"? I was arguing that "enough packets" could easily be created, while you argue the client can't handle them.

> 
>>> - a competent client will log bogus responses, at least during this
>>>   window, and if the client is NTP as opposed to SNTP, will log
>>>   *any* bogus received packets.
>> 
>> The point is whether logging unexpected packets actually opens a DoS 
> windows.
> 
> That's something logging systems can reasonably be expected to handle,
> and it's also reasonable to assume that if somebody goes to the trouble
> to log these events they're also alerting on them.

Yeah: Filesystem full ;-)

[...]