[time-nuts] When NTP goes wrong...
Paul
tic-toc at bodosom.net
Sun Oct 25 17:40:18 UTC 2015
[This is my final contribution to this topic since real time-nuts using NTP
run their own S1 servers driven by their Thunderbolts (et.seq.) and don't
need to worry about this]
On Sun, Oct 25, 2015 at 11:27 AM, Florian Teply <usenet at teply.info> wrote:
> >
> > >But if I read that article on ars technica correctly, it looks like
> > >it is something inherent to the ntp protocol itself and the
> > >definitions it makes.
>
Only loosely. It might appear that RFC5095 admits certain attacks using
the 'debug' interface however the 'source'* document says (referring to the
'nonce' check)
"While it seems reasonable to expect this check to be performed on the KoD
packet as well, RFC 5905 [41, Sec. 7.4] does not seem to explicitly require
this."
I believe this is an incorrect interpretation but in any case I think it's
clear the RFC is ambiguous and the published "fix" is to explicitly
validate the nonce. Other fixes include completely disabling the 'debug'
interface. Implicit in this is the need to update the NTPv4 RFC.
I advise those concerned to read RFC5095, the BU paper* (don't worry about
the 68 references) and check the NTP security notice** to draw your own
conclusions about this problem keeping in mind Wojciech's recent comments.
*http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf
**http://support.ntp.org/bin/view/Main/SecurityNotice
More information about the Time-nuts_lists.febo.com
mailing list