[Ntp] Rate limiting/reflection prevention (Was: NTPv5 KISS code support)

David Venhoek <david@venhoek.nl> Wed, 08 November 2023 08:57 UTC

Return-Path: <david@venhoek.nl>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43BF1C1D2D6C for <ntp@ietfa.amsl.com>; Wed, 8 Nov 2023 00:57:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venhoek-nl.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2hX1BI3iPbD for <ntp@ietfa.amsl.com>; Wed, 8 Nov 2023 00:57:52 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACBB2C18E559 for <ntp@ietf.org>; Wed, 8 Nov 2023 00:57:51 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-53ed4688b9fso11036118a12.0 for <ntp@ietf.org>; Wed, 08 Nov 2023 00:57:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venhoek-nl.20230601.gappssmtp.com; s=20230601; t=1699433869; x=1700038669; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=bcyggNj8QmJoh7i7wLpI+0WS1YG1L36r/qp3fijnyns=; b=DLjSokapGx6wNaKsfxgQ/D01ZSIDjaJkEK/2J9tFI3LlsL5chRU+DAH6OGYDpYA1/r KsOlVqhDNmrIHoyJfQp2A92srOYKuDhyXr7ACERiRKHa23VSUjtmq8Df8lmwwfAn7DHD zKGHal2v3P4o8P8JGTOW+0zQEXq4ZAZrGcfjGpWnAb5PauQdFDhAJzo5Ttx20lyiVqnC p2TKuGNrWEVhvmRpokcn00Vp6SJCgVuRsbx604xGZH3/JJaf5Vpji5imFdtAOHHPFqXv D5+ZpHcMh0puwWS713dTuEPKCa5dKx5PY1J4qVoOAv+mHHnJZ4k29ThLo6r/pxyUZwn6 GoXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699433869; x=1700038669; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bcyggNj8QmJoh7i7wLpI+0WS1YG1L36r/qp3fijnyns=; b=fDOxQBc6YsmlsQWjGFBsjPNTeQsjN9v7ebS88aXY22w5eHHpedv5yweU/60Au4HQeT i8aGPEsnATcw8BKl/pJNG4iNeOJuzy7f5lWpLIhT0xAL75VAbWAKprm/iKwSu8OFv60v nd5NknEWKcdwDX9KMvgEK093FXLsjyUaA+ZCXz50WqV1VVwnKsjgedKHVWIVLDIzugEa O2oeyR/oF3co26IIQPUgOXj62U6UNOr1yWw6cxUmHJRp9wxy74O+9zI0Mir28dPfwh+a a3y4hog43CxKOWHf3z4BC+kROXU98HUIsAK7y9eezVzJBHaEGABhnuwOQiNRvTP3HIcU P8SQ==
X-Gm-Message-State: AOJu0YyG/xNfdBpnNPtX5cuav7vgNXravLvFj96ZSIj0DzmwvHui7XMD 0Gsy027QBFgzqNkkOHHw77+6aS5QDmMVH6pyJ+6S9w==
X-Google-Smtp-Source: AGHT+IG9AYh+vnarX/z8rwvNPOjldidYkGkKSFR6mGIdWS8oPuPXhqKL1i4GYJh9BgIRHxGXr1UEy+e1SQ8tVYUVf18=
X-Received: by 2002:a17:907:7291:b0:9be:7dd3:40ab with SMTP id dt17-20020a170907729100b009be7dd340abmr872906ejc.2.1699433869273; Wed, 08 Nov 2023 00:57:49 -0800 (PST)
MIME-Version: 1.0
References: <mlichvar@redhat.com> <ZUs1hQvWMeEm9nby@localhost> <20231108084434.4B8DA28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20231108084434.4B8DA28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: David Venhoek <david@venhoek.nl>
Date: Wed, 08 Nov 2023 09:57:38 +0100
Message-ID: <CAPz_-SXs9J=O-iXf+p00F1A7wCOwJNvdzURHJa0ZU+6QoEM0ng@mail.gmail.com>
To: Hal Murray <halmurray+ietf@sonic.net>
Cc: Miroslav Lichvar <mlichvar@redhat.com>, NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/pcglwgkwQRKQvjTTH1lzI04WWLw>
Subject: [Ntp] Rate limiting/reflection prevention (Was: NTPv5 KISS code support)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2023 08:57:56 -0000

Added a number of specific comments below, but I do also want to put
up for discussion whether we should even care about the reflection
potential of NTP. The reason I think of this as being a reasonable
question is that it does seem that a lot of other protocols (QUIC, TCP
to name just a few) seem rather unconcerned by this. More
fundamentally, the potential for reflection seems very much inherent
to the design of the internet, and I think that if we really see this
as a massive problem it should be solved in the routing layers.

Note that the above is specifically about reflection (e.g.
bytes/packets in to bytes/packets out ratio is 1). Amplification of
course is and should remain a point of attention.

On Wed, Nov 8, 2023 at 9:44 AM Hal Murray <halmurray+ietf@sonic.net> wrote:
>
>
> Thanks.
>
> > In my tests responding to 25% of requests seems to be sufficient for clients
> > like ntpd to keep the clock synchronized, although not very well.
>
> > The server needs to respond to some constant percentage of the requests and
> > select them randomly. The attacker would need to send requests at a much
> > higher rate in order to overload the network or the server to actually reduce
> > the rate of responses that the victim gets. Doing that for a larger number of
> > servers like pool.ntp.org would be impractical.
>
> If we let 25% of the bad traffic through, we have opened up the server for use
> as a reflector.  The bad guy will just have to find 3 other servers to get the
> same amount of traffic through.

I think you are missing an important detail, which is that an attacker
not just needs to find 3 other servers for the same amount of traffic,
but also needs to send 4x as much traffic from the actual attacking
machines.

>
>
> [putting IP Address into cookie]
> > Yes, that would help. The drawback is that the clients would need to restart
> > NTS-KE after moving to a different network.

One of the approaches here I have been toying around with (though
without running code yet) is to not include an ip address in the
cookies, but rather a non-adress-related id. This allows throttling of
problematic traffic without affecting well-behaving nts users
(although that does break down once an attacker starts many nts-ke
sessions, though you could try to rate limit that perhaps).

We should I think be careful with putting ip addresses in the cookies.
Given modern network topologies where quite a few devices may have
multiple routes to the internet and multiple ip addresses to match,
their NTS-KE traffic could just go out on a different interface than
the ntp udp packets, which would break if you start including ips in
cookies.

Though honestly, I think we should keep most of this as implementation
details of servers, giving perhaps guidance to implementers, but I
don't think we should give strict requirements on this.

>
> Maybe that's the price we will have to pay for not letting NTP servers be used
> as reflectors.
>
> Servers and workstations/PCs don't change IP Addresses very frequently.
>
> For laptops, we could reduce the load by making the client store sets of
> cookies per IP Address.  That would cover the common case of a laptop that
> migrates from home to work each day.  I don't know enough about typical use
> cases for portable systems to go much farther than that.
>
> The client could run in no-check-address mode until they lost a string of
> packets, aka appeared to be under attack, then switch to check-address mode.
>
>
>
> --
> These are my opinions.  I hate spam.
>
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp