IETF Logo Mail Archive

Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization

Watson Ladd <watsonbladd@gmail.com> Wed, 05 June 2019 14:40 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70A99120122 for <ntp@ietfa.amsl.com>; Wed, 5 Jun 2019 07:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8LEQd9QG-r99 for <ntp@ietfa.amsl.com>; Wed, 5 Jun 2019 07:40:26 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41620120120 for <ntp@ietf.org>; Wed, 5 Jun 2019 07:40:26 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id 136so7736404lfa.8 for <ntp@ietf.org>; Wed, 05 Jun 2019 07:40:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=s0oXbUQWD04DHzC6qVhvSboAwqp4p5e/3tgYMpCyRZk=; b=uz4JNtawfWoQy/bPMgmFzFqnHjytukGZVfi8/NqedjZizwmEtgOTtq+i11IIwoo6DR BvDjxzRwBUcI0a049vBiI6oLkKkDtzYvBCEANzgR5Fujr+BXpJYmhhD4YnYcQIo/AsOj LBW3SzhPB7U7tKKpX+ISIzX9oyjJLIPiEM6+Xe6s7peVRehqKr+/NvLMv4uugFCnHrBV VxDbczVWWXlNWt5mv3xg2cFNnSp4NjcoC+/uk3qIIHcx0z8zPH7BuM0D9DdCJskGwxhh vp4bzvkAGYWyMSuLOMzhH8MY/PKuGkwgGiHN2eiYVgRGfTvauWt4vNRpBnuMzNGDwSfU 3SIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=s0oXbUQWD04DHzC6qVhvSboAwqp4p5e/3tgYMpCyRZk=; b=WG1p/M1bpMMdkS//mjj3IMowtxVyUuEeHAGAKrhnn919gBPdQ+Ak2qVHTDYKCq/lpG Iyo/pxK4cIZhB4ObA/pFpFiwwbRpVa3hH026e88IZ+G1UBlYAOTOGegYHUOMUXGAO4yN bOGFHgwbPzAJqjyZ0VgUImibdDCwDPzu6Dgs14svjjpsmCchnlyVbFET9DkEu53649Ig lqYQhBTu61V66L089ijQnbJV/1r0/GmkuL2xhJSZ6j8bwC+PGqxjBMKHrgiBTCnr9/71 ozl8Lx5O/PGePB4Flkn04a+a4j7vF+Yb3ftSjlf4JrPE/RZSPTZyCAXwrwIn/wnJ88Vp JAKg==
X-Gm-Message-State: APjAAAUL6Btxub6NoQUhv0o/XhOXl/bRwiSZFjSk6UTaRHMNOnAOJ/4d xOss8K/ESUIwnk4VSD3GVyxwzdqoGFCVJ243vM4SQz83jy8=
X-Google-Smtp-Source: APXvYqyAx2oHGCkfcOHhwBh9q4mMULP7tlG2yATFNFA9lZNNcYaSf7BP2JkKtitPo8pLza7Y6VoI+bkbjzyA/BG68hQ=
X-Received: by 2002:ac2:5189:: with SMTP id u9mr19238282lfi.189.1559745624260; Wed, 05 Jun 2019 07:40:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAN2QdAGS20q=7+r+qMFEBBu4gNmSDR9-vYDbvgC=ZnqWLEU-6w@mail.gmail.com> <739c2eaa-05f1-0b30-4b64-fc5d3f91ce5b@pdmconsulting.net> <a3a545cf-d83d-a2c7-ad6c-3e349de78615@si6networks.com> <9f75e400-cf2f-053f-ed06-f4d6df415eaf@pdmconsulting.net>
In-Reply-To: <9f75e400-cf2f-053f-ed06-f4d6df415eaf@pdmconsulting.net>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 05 Jun 2019 07:40:13 -0700
Message-ID: <CACsn0ck8w=sZ19QJYuSL1Bi2XdDjPW6ruPAWYtMuDxWNRXZ1mA@mail.gmail.com>
To: Danny Mayer <mayer@pdmconsulting.net>
Cc: NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/i6FTcx66PrFQ4CfcqIK7wukpA-w>
Subject: Re: [Ntp] Details of the fragmentation attacks against NTP and port randomization
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2019 14:40:30 -0000

On Tue, Jun 4, 2019 at 7:41 PM Danny Mayer <mayer@pdmconsulting.net> wrote:
>
> On 6/4/19 2:39 AM, Fernando Gont wrote:
>
> On 4/6/19 06:09, Danny Mayer wrote:
>
> On 6/3/19 2:24 PM, Watson Ladd wrote:
>
> Dear all,
>
> The debate over client port randomization is missing an important
> fact: off-path attacks against NTP are not prevented by the origin
> timestamp due to the OS handling of fragmentation. In
> http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf we see that sending
> a properly crafted IP fragment can selectively overwrite NTP packets,
> thus allowing an attacker to modify received data without overwriting
> the origin timestamp. I would recommend we adopt port randomization
> to handle this problem.
>
> Sincerely,
> Watson Ladd
>
> Actually if you read Section VI you will see that the last sentence of
> that section states that they do not consider it to be a sufficient defense.
>
> Wasn't Your argument that the timestamp was enough to mitigate off-path
> attacks?
>
> Yes and no. The draft you wrote requires using random ports to avoid off-path attacks. The paper demonstrates that for at least some O/S's an off-path fragmentation attack succeeds regardless of the port number. This is at a layer below NTP. So randomizing the ports doesn't matter for this attack according to the paper. The proper way to deal with this fragmentation attack is to fix the underlying O/S behavior as has already been done for most of them. The NTP basic payload is only 48 bytes so there is no reason to allow fragmentation in the first place.

>From the paper: "Our measurements(Section VI-G) confirm that there are
ten of thousands of NTP servers in the wild that do this." Clearly
tens of thousands of servers are fragmenting below minimum MTU in
response to PMTUD messages.

>
> If you can't attack that way then your off-path attacker cannot guess the origin timestamp which is a 64-bit quantity. Furthermore the attacker doesn't know the server being used by the NTP client so the IP address of that server will be invalid as well. The client should have enough information to ignore the packet.
>
> So RFC6056 doesn't really apply as a mandate. You can certainly ask to update draft-ietf-ntp-bcp to recommend randomizing the port for outgoing queries. In any case RFC6056 is about randomizing ports and is not really a security document. If it were then it would have made a very basic recommendation concerning the port: if you have received your response and it is valid then close the port immediately and the next time you want to make a new request open a new random port to perform the request. That way the off-path attacker will have no way of knowing what the new port number will be.
>
> In the case of NTP you don't want to trust a single server, The draft NTP BCP recommends at least 3 different servers and preferably 4 to allow for the loss of one server. See section 3.2. If you are really concerned about security you should arrange with your server providers to include either a MAC at the end of the packet or use the new NTS security mechanism to validate and secure the packets returned. If you are concerned about attacks you should be employing firewalls anyway. Lastly you can get yourself a GPS unit and use that to get your clock information. For the really paranoid, get an atomic clock!

I find this level of opposition (it doesn't close all the barriers so
why bother) remarkable. Why not randomize the ports? Doing so would
also simplify dos protection: src=123 is a problem. I agree we should
all move to NTS.
>
> Danny
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email