IETF Logo Mail Archive

Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization

Miroslav Lichvar <mlichvar@redhat.com> Thu, 06 June 2019 07:22 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE5DF120284 for <ntp@ietfa.amsl.com>; Thu, 6 Jun 2019 00:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nSAYtYsHHrKu for <ntp@ietfa.amsl.com>; Thu, 6 Jun 2019 00:22:02 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0ED612027B for <ntp@ietf.org>; Thu, 6 Jun 2019 00:22:01 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 13C2F300309E; Thu, 6 Jun 2019 07:22:00 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 456226764D; Thu, 6 Jun 2019 07:21:57 +0000 (UTC)
Date: Thu, 06 Jun 2019 09:21:55 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Hal Murray <hmurray@megapathdsl.net>
Cc: Danny Mayer <mayer@pdmconsulting.net>, NTP WG <ntp@ietf.org>
Message-ID: <20190606072155.GI12384@localhost>
References: <mayer@pdmconsulting.net> <8e3f7027-ea04-3e33-274f-0c65f499af7d@pdmconsulting.net> <20190605215710.7A5DB40605C@ip-64-139-1-69.sjc.megapath.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190605215710.7A5DB40605C@ip-64-139-1-69.sjc.megapath.net>
User-Agent: Mutt/1.11.3 (2019-02-01)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Thu, 06 Jun 2019 07:22:00 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/czokkrvm2orScI0rhZ9bAin1dNs>
Subject: Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 07:22:04 -0000

On Wed, Jun 05, 2019 at 02:57:10PM -0700, Hal Murray wrote:
> Case A: When a client decides to use IP Address a.b.c.d as a server, open a 
> socket.
> 
> Case B: When a client decides to send a packet to IP Address a.b.c.d, open a 
> socket.  When the response arrives (or timeout) close the socket.

The socket should be "connected" to the server. That is, for packets
coming from different addresses the port should behave as closed
(respond with ICMP).

> nmap will find Case A type systems.  It has a small chance of finding systems 
> using Case B.

The timeout needs to be at least few seconds. Would that be short enough
to not allow off-path attackers to find the open port if it wasn't
connected? I'm not sure if all systems have rate limits for ICMP
messages.

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email