Hi, 
Guest
Pic
Sign In

time-nuts@lists.febo.com

Discussion of precise time and frequency measurement

View all threads

NTP as vector for DDOS attacks?

JL
Jim Lux
Fri, Jan 10, 2014 12:32 PM

http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/

Interesting.. throw requests at an NTP server that look as if they come
from the target, prompting large responses to the victim, presumably to
overload it.

The article talks about how the victim site can easily filter out the
messages from the NTP server, but does not seem to discuss the
"societal" impact of potentially screwing up a public service (the NTP
server)

http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/ Interesting.. throw requests at an NTP server that look as if they come from the target, prompting large responses to the victim, presumably to overload it. The article talks about how the victim site can easily filter out the messages from the NTP server, but does not seem to discuss the "societal" impact of potentially screwing up a public service (the NTP server)
CA
Chris Albertson
Fri, Jan 10, 2014 7:52 PM

It's not a big deal.  Even if one pool NTP server is down, there are
literally hundreds others and most NTP users are configured to look at
between three and five.  Not only that if they POOL servers are randomly
assigned so if one of your NTP servers is taken down, next time it is
unlikely you'd get hooked up to the same pool server

Basically taking down an NTP server is just like a kid at school covering
over a clock so "no one will know what time it is"  The easy solution is
that everyone will just look at a different clock.

I actually doubt you could take down a public NTP server unless you used a
distributed attack with thousands of PCs all sending packets.

On Fri, Jan 10, 2014 at 4:32 AM, Jim Lux jimlux@earthlink.net wrote:

http://arstechnica.com/security/2014/01/dos-attacks-
that-took-down-big-game-sites-abused-webs-time-synch-protocol/

Interesting.. throw requests at an NTP server that look as if they come
from the target, prompting large responses to the victim, presumably to
overload it.

The article talks about how the victim site can easily filter out the
messages from the NTP server, but does not seem to discuss the "societal"
impact of potentially screwing up a public service (the NTP server)

time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/
mailman/listinfo/time-nuts
and follow the instructions there.

--

Chris Albertson
Redondo Beach, California

It's not a big deal. Even if one pool NTP server is down, there are literally hundreds others and most NTP users are configured to look at between three and five. Not only that if they POOL servers are randomly assigned so if one of your NTP servers is taken down, next time it is unlikely you'd get hooked up to the same pool server Basically taking down an NTP server is just like a kid at school covering over a clock so "no one will know what time it is" The easy solution is that everyone will just look at a different clock. I actually doubt you could take down a public NTP server unless you used a distributed attack with thousands of PCs all sending packets. On Fri, Jan 10, 2014 at 4:32 AM, Jim Lux <jimlux@earthlink.net> wrote: > http://arstechnica.com/security/2014/01/dos-attacks- > that-took-down-big-game-sites-abused-webs-time-synch-protocol/ > > Interesting.. throw requests at an NTP server that look as if they come > from the target, prompting large responses to the victim, presumably to > overload it. > > > The article talks about how the victim site can easily filter out the > messages from the NTP server, but does not seem to discuss the "societal" > impact of potentially screwing up a public service (the NTP server) > _______________________________________________ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to https://www.febo.com/cgi-bin/ > mailman/listinfo/time-nuts > and follow the instructions there. > -- Chris Albertson Redondo Beach, California
P
Paul
Fri, Jan 10, 2014 9:06 PM

On Fri, Jan 10, 2014 at 2:52 PM, Chris Albertson
albertson.chris@gmail.comwrote:

It's not a big deal.  Even if one pool NTP server is down

On Fri, Jan 10, 2014 at 4:32 AM, Jim Lux jimlux@earthlink.net wrote:

The article talks about how the victim site can easily filter out the
messages from the NTP server, but does not seem to discuss the "societal"
impact of potentially screwing up a public service (the NTP server)

It's an amplification attack.  It's about taking down citi.com or
whitehouse.gov -- not taking down pool.ntp.org (or any part of it).

On Fri, Jan 10, 2014 at 2:52 PM, Chris Albertson <albertson.chris@gmail.com>wrote: > It's not a big deal. Even if one pool NTP server is down > > On Fri, Jan 10, 2014 at 4:32 AM, Jim Lux <jimlux@earthlink.net> wrote: > > > > The article talks about how the victim site can easily filter out the > > messages from the NTP server, but does not seem to discuss the "societal" > > impact of potentially screwing up a public service (the NTP server) > It's an amplification attack. It's about taking down citi.com or whitehouse.gov -- not taking down pool.ntp.org (or any part of it).
JL
Jim Lux
Fri, Jan 10, 2014 9:10 PM

On 1/10/14 1:06 PM, Paul wrote:

On Fri, Jan 10, 2014 at 2:52 PM, Chris Albertson
albertson.chris@gmail.comwrote:

It's not a big deal.  Even if one pool NTP server is down

On Fri, Jan 10, 2014 at 4:32 AM, Jim Lux jimlux@earthlink.net wrote:

The article talks about how the victim site can easily filter out the
messages from the NTP server, but does not seem to discuss the "societal"
impact of potentially screwing up a public service (the NTP server)

It's an amplification attack.  It's about taking down citi.com or
whitehouse.gov -- not taking down pool.ntp.org (or any part of it).

Yes..
but how long before someone thinks of putting the amplifier after a
botnet, rather than driving it directly.

On 1/10/14 1:06 PM, Paul wrote: > On Fri, Jan 10, 2014 at 2:52 PM, Chris Albertson > <albertson.chris@gmail.com>wrote: > >> It's not a big deal. Even if one pool NTP server is down >> >> On Fri, Jan 10, 2014 at 4:32 AM, Jim Lux <jimlux@earthlink.net> wrote: >> >> >>> The article talks about how the victim site can easily filter out the >>> messages from the NTP server, but does not seem to discuss the "societal" >>> impact of potentially screwing up a public service (the NTP server) >> > > It's an amplification attack. It's about taking down citi.com or > whitehouse.gov -- not taking down pool.ntp.org (or any part of it). > Yes.. but how long before someone thinks of putting the amplifier after a botnet, rather than driving it directly.
HS
Harlan Stenn
Fri, Jan 10, 2014 9:49 PM

This amplification attack vector is really easy to stop.  The procedure
is documented in the CERT advisory, which was released with almost no
forewarning to me or my team.  While we knew about it and drafted the
mitigation information and tweaked other portions of the announcement,
we were expecting a bit more time to prepare information for the NTP and
NTF websites.

If there are vulnerable systems out there that cannot be configured to
behave well, then the vendors of those systems will receive a wakeup
call and get a fair amount of bad press.

A silver lining is that this situation may induce folks to donate to
NTF, join NTF's NTP Consortium, and/or become inaugural members of NTF's
Certification and Compliance Program, which will make sure that default
configurations don't have these or similar problems.

It's great to talk about all of these things.

I submit it's even better for people and institutions who care about
network time to financially support Network Time Foundation.

--
Harlan Stenn stenn@ntp.org
http://networktimefoundation.org  - be a member!

This amplification attack vector is really easy to stop. The procedure is documented in the CERT advisory, which was released with almost no forewarning to me or my team. While we knew about it and drafted the mitigation information and tweaked other portions of the announcement, we were expecting a bit more time to prepare information for the NTP and NTF websites. If there are vulnerable systems out there that cannot be configured to behave well, then the vendors of those systems will receive a wakeup call and get a fair amount of bad press. A silver lining is that this situation may induce folks to donate to NTF, join NTF's NTP Consortium, and/or become inaugural members of NTF's Certification and Compliance Program, which will make sure that default configurations don't have these or similar problems. It's great to talk about all of these things. I submit it's even better for people and institutions who care about network time to financially support Network Time Foundation. -- Harlan Stenn <stenn@ntp.org> http://networktimefoundation.org - be a member!
TS
Tapio Sokura
Sun, Jan 12, 2014 4:44 AM

On 10.1.2014 23:10, Jim Lux wrote:

but how long before someone thinks of putting the amplifier after a
botnet, rather than driving it directly.

It has probably been done for a while already, like has been done before
with protocols such as dns and chargen. I'm perpetually amazed how so
many IP networks and ISPs in the world still let packets with faked
source addresses through, thus enabling reflection/amplification attacks
and in general making tracking (d)dos sources that much harder.

If you run a network or an ISP, read and implement BCP38 if you haven't
already, please! It will make the Internet a better place, even if it's
just a network at a time. Trying to "secure" UDP amplification attacks a
higher level protocol at a time is like putting band-aid on a bad water
hose that leaks, with new leaks springing up elsewhere as the pressure
in the hose rises from the newly applied (still leaking) band-aids.

Sorry for wandering a bit off-topic here, just couldn't resist the
temptation. Maybe I should go rig my trusty Oncore VPs back online..

Tapio, oh2kku

On 10.1.2014 23:10, Jim Lux wrote: > but how long before someone thinks of putting the amplifier after a > botnet, rather than driving it directly. It has probably been done for a while already, like has been done before with protocols such as dns and chargen. I'm perpetually amazed how so many IP networks and ISPs in the world still let packets with faked source addresses through, thus enabling reflection/amplification attacks and in general making tracking (d)dos sources that much harder. If you run a network or an ISP, read and implement BCP38 if you haven't already, please! It will make the Internet a better place, even if it's just a network at a time. Trying to "secure" UDP amplification attacks a higher level protocol at a time is like putting band-aid on a bad water hose that leaks, with new leaks springing up elsewhere as the pressure in the hose rises from the newly applied (still leaking) band-aids. Sorry for wandering a bit off-topic here, just couldn't resist the temptation. Maybe I should go rig my trusty Oncore VPs back online.. Tapio, oh2kku
BC
Bob Camp
Sun, Jan 12, 2014 2:51 PM

Hi

There is indeed a list devoted to NTP and they have spent the last couple of months / years going over security issues in great detail.

Bob

On Jan 11, 2014, at 11:44 PM, Tapio Sokura tapio.sokura@iki.fi wrote:

On 10.1.2014 23:10, Jim Lux wrote:

but how long before someone thinks of putting the amplifier after a
botnet, rather than driving it directly.

It has probably been done for a while already, like has been done before
with protocols such as dns and chargen. I'm perpetually amazed how so
many IP networks and ISPs in the world still let packets with faked
source addresses through, thus enabling reflection/amplification attacks
and in general making tracking (d)dos sources that much harder.

If you run a network or an ISP, read and implement BCP38 if you haven't
already, please! It will make the Internet a better place, even if it's
just a network at a time. Trying to "secure" UDP amplification attacks a
higher level protocol at a time is like putting band-aid on a bad water
hose that leaks, with new leaks springing up elsewhere as the pressure
in the hose rises from the newly applied (still leaking) band-aids.

Sorry for wandering a bit off-topic here, just couldn't resist the
temptation. Maybe I should go rig my trusty Oncore VPs back online..

Tapio, oh2kku

time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.

Hi There is indeed a list devoted to NTP and they have spent the last couple of months / years going over security issues in great detail. Bob On Jan 11, 2014, at 11:44 PM, Tapio Sokura <tapio.sokura@iki.fi> wrote: > On 10.1.2014 23:10, Jim Lux wrote: >> but how long before someone thinks of putting the amplifier after a >> botnet, rather than driving it directly. > > It has probably been done for a while already, like has been done before > with protocols such as dns and chargen. I'm perpetually amazed how so > many IP networks and ISPs in the world still let packets with faked > source addresses through, thus enabling reflection/amplification attacks > and in general making tracking (d)dos sources that much harder. > > If you run a network or an ISP, read and implement BCP38 if you haven't > already, please! It will make the Internet a better place, even if it's > just a network at a time. Trying to "secure" UDP amplification attacks a > higher level protocol at a time is like putting band-aid on a bad water > hose that leaks, with new leaks springing up elsewhere as the pressure > in the hose rises from the newly applied (still leaking) band-aids. > > Sorry for wandering a bit off-topic here, just couldn't resist the > temptation. Maybe I should go rig my trusty Oncore VPs back online.. > > Tapio, oh2kku > _______________________________________________ > time-nuts mailing list -- time-nuts@febo.com > To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts > and follow the instructions there.
Next page
Empathy v1.0   2026 ©emwd.com
Documentation