oss-sec mailing list archives
Re: RFC: ntp behavior with spoofed source IPs
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Thu, 27 Sep 2012 23:11:51 -0400
:While changing from openntpd (Ubuntu/universe) to ntp (main), a short evaluation of ntp configuration options was performed. Older ntp-versions on Ubuntu lucid do not support to disable ntp listening on all interfaces, even when using it just to synchronize with servers, but machine not delivering NTP services itself (see [1]). Newer versions come with a default configuration listening on all interfaces ([2]). There were command-line flags -I/-L for ntpd to facilitate only accepting packets on given interfaces. They'd been around for a number of years, but were badly documented. You're right in that older ntpd still *listened* on all interfaces, even with the -I/-L flags, with no way to not listen, until the assorted issues in http://bugs.ntp.org/show_bug.cgi?id=983 were addressed. Why I happen to know this is because... :I would like to hear comments on following scenarios using NTP requests with spoofed source IP, especially regarding the fact, that receiving of such packets could be considered to a higher degree a problem of the host base setup (rp_filter, firewalling) and not ntp itself, even for embedded devices (WLAN router). ...a couple years back, I observed that a fresh MacOS Leopard/10.5.8 install had 123/udp and ntpd exposed, even with its firewall in place. At the time, I considered it to be more of a firewall deficiency. I guess I'm "used" to ntpd default configs that (off the top of my head): a) have broadcast/multicastclient enabled b) point to some vendor's "pet" NTP servers c) do those fake, drifty stratum 10 clocks etc. By comparison, spoofing was low on the list of headaches. For what I tend to care about, ntpd doesn't make sense until I scrub whatever the default config is and do something simple from scratch. And, I don't really expect "strong security" unless I do authentication and|or can reasoanbly validate the path to the stratum 0 reference clock. -Mike -- Michael J. O'Connor mjo () dojo mi org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "As God is my witness, I thought turkeys could fly!" -WKRP In Cincinnati
Attachment:
_bin
Description:
Current thread:
- RFC: ntp behavior with spoofed source IPs Fiedler Roman (Sep 26)
- Re: RFC: ntp behavior with spoofed source IPs Mike O'Connor (Sep 27)
- Re: RFC: ntp behavior with spoofed source IPs cve-assign (Sep 28)