oss-sec mailing list archives

Re: RFC: ntp behavior with spoofed source IPs

From: "Mike O'Connor" <mjo () dojo mi org>
Date: Thu, 27 Sep 2012 23:11:51 -0400

:While changing from openntpd (Ubuntu/universe) to ntp (main), a short evaluation of ntp configuration options was 
performed. Older ntp-versions on Ubuntu lucid do not support to disable ntp listening on all interfaces, even when 
using it just to synchronize with servers, but machine not delivering NTP services itself (see [1]). Newer versions 
come with a default configuration listening on all interfaces ([2]).

There were command-line flags -I/-L for ntpd to facilitate only
accepting packets on given interfaces.  They'd been around for a
number of years, but were badly documented.  You're right in that
older ntpd still *listened* on all interfaces, even with the -I/-L
flags, with no way to not listen, until the assorted issues in
http://bugs.ntp.org/show_bug.cgi?id=983 were addressed.  Why I
happen to know this is because...

:I would like to hear comments on following scenarios using NTP requests with spoofed source IP, especially regarding 
the fact, that receiving of such packets could be considered to a higher degree a problem of the host base setup 
(rp_filter, firewalling) and not ntp itself, even for embedded devices (WLAN router).

...a couple years back, I observed that a fresh MacOS Leopard/10.5.8
install had 123/udp and ntpd exposed, even with its firewall in place.
At the time, I considered it to be more of a firewall deficiency.  I
guess I'm "used" to ntpd default configs that (off the top of my head):

      a) have broadcast/multicastclient enabled
      b) point to some vendor's "pet" NTP servers
      c) do those fake, drifty stratum 10 clocks
         etc.

By comparison, spoofing was low on the list of headaches.  For what I
tend to care about, ntpd doesn't make sense until I scrub whatever the
default config is and do something simple from scratch.  And, I don't
really expect "strong security" unless I do authentication and|or can
reasoanbly validate the path to the stratum 0 reference clock.  

-Mike

-- 
 Michael J. O'Connor                                          mjo () dojo mi org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"As God is my witness, I thought turkeys could fly!"      -WKRP In Cincinnati

Attachment: _bin
Description:

Current thread:

RFC: ntp behavior with spoofed source IPs Fiedler Roman (Sep 26)
- Re: RFC: ntp behavior with spoofed source IPs Mike O'Connor (Sep 27)
- Re: RFC: ntp behavior with spoofed source IPs cve-assign (Sep 28)