IETF Logo Mail Archive

Re: [ntpwg] Antw: Attackers use NTP reflection in huge DDoS attack

Brian Haberman <brian@innovationslab.net> Sat, 15 February 2014 18:37 UTC

Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC3511A0274 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Sat, 15 Feb 2014 10:37:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.748
X-Spam-Level:
X-Spam-Status: No, score=-4.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PbBTu1mu-MX8 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Sat, 15 Feb 2014 10:37:07 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by ietfa.amsl.com (Postfix) with ESMTP id 02EDA1A026E for <ntp-archives-ahFae6za@lists.ietf.org>; Sat, 15 Feb 2014 10:37:06 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id 4FEB386D60E for <ntp-archives-ahFae6za@lists.ietf.org>; Sat, 15 Feb 2014 18:37:05 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id D1FA286D33D for <ntpwg@lists.ntp.org>; Sat, 15 Feb 2014 16:46:04 +0000 (UTC)
Received: from uillean.fuaim.com ([206.197.161.140]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <brian@innovationslab.net>) id 1WEiNH-000HDD-P6 for ntpwg@lists.ntp.org; Sat, 15 Feb 2014 16:46:04 +0000
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 2463F880D1 for <ntpwg@lists.ntp.org>; Sat, 15 Feb 2014 08:45:55 -0800 (PST)
Received: from Littlejohn.local (c-76-21-129-88.hsd1.md.comcast.net [76.21.129.88]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 93C3C130002 for <ntpwg@lists.ntp.org>; Sat, 15 Feb 2014 08:45:54 -0800 (PST)
Message-ID: <52FF99BA.6040709@innovationslab.net>
Date: Sat, 15 Feb 2014 11:45:46 -0500
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: ntpwg@lists.ntp.org
References: <f269255720f044ebb52f6db0b9309a31@exrad6.ad.rad.co.il> <52FDDCED020000A1000145E5@gwsmtp1.uni-regensburg.de> <52FE3FDD.9040105@innovationslab.net> <52FECC6F.5070903@ntp.org>
In-Reply-To: <52FECC6F.5070903@ntp.org>
X-Enigmail-Version: 1.6
X-SA-Exim-Connect-IP: 206.197.161.140
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: brian@innovationslab.net
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] Antw: Attackers use NTP reflection in huge DDoS attack
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6413180314542115787=="
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org

Hi Danny,

On 2/14/14 9:09 PM, Danny Mayer wrote:
> On 2/14/2014 11:10 AM, Brian Haberman wrote:
>> A question for the group...
>>
>> Do we need to codify these (and maybe other) security guidelines in
>> a BCP?
>>
>> Brian
> 
> For this particular attack, I'm not so sure since they involve mode 7
> packets and as far as I know only the reference implementation from
> ntp.org implements them as well as mode 6 packets which are also meant
> as management tools. These packets are not well documented,
> particularly mode 7 and I believe only mode 6 packets are documented
> in RFC 1305 which has been obsoleted by RFC 5905.

Correct.  There is a draft in progress to document the mode 6 packets
(http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-02).

> 
> Only mode 6 and mode 7 packets could be used in an amplification
> attack as all the other types return just the same size packets as the
> incoming ones.

It may be worthwhile to discuss the security implications of the mode 6
& 7 packets (in case another implementation decides to support them).

> 
> There is a general need for a BCP for NTP, partiucularly over things
> like Rules of Engagement and KOD packets. Some the more well-known NTP
> servers (like NIST and USNO) are overwhelmed with packets, hardware
> manufacturers have hard-coded IP addresses of NTP servers, and some
> software just bombards NTP servers with requests.
> 
> So I think that my answer is in general yes, but not specifically
> about this.

Makes sense and is the reason for my parenthetical "and maybe other" in
my initial question.

I would like to see some WG effort put into this type of document.

Regards,
Brian



_______________________________________________
ntpwg mailing list
ntpwg@lists.ntp.org
http://lists.ntp.org/listinfo/ntpwg

v2.23.0 | Report a Bug | By Email