Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Sep 2012 23:11:51 -0400
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: RFC: ntp behavior with spoofed source IPs

:While changing from openntpd (Ubuntu/universe) to ntp (main), a short evaluation of ntp configuration options was performed. Older ntp-versions on Ubuntu lucid do not support to disable ntp listening on all interfaces, even when using it just to synchronize with servers, but machine not delivering NTP services itself (see [1]). Newer versions come with a default configuration listening on all interfaces ([2]).

There were command-line flags -I/-L for ntpd to facilitate only
accepting packets on given interfaces.  They'd been around for a
number of years, but were badly documented.  You're right in that
older ntpd still *listened* on all interfaces, even with the -I/-L
flags, with no way to not listen, until the assorted issues in
http://bugs.ntp.org/show_bug.cgi?id=983 were addressed.  Why I
happen to know this is because...

:I would like to hear comments on following scenarios using NTP requests with spoofed source IP, especially regarding the fact, that receiving of such packets could be considered to a higher degree a problem of the host base setup (rp_filter, firewalling) and not ntp itself, even for embedded devices (WLAN router).

...a couple years back, I observed that a fresh MacOS Leopard/10.5.8
install had 123/udp and ntpd exposed, even with its firewall in place.
At the time, I considered it to be more of a firewall deficiency.  I
guess I'm "used" to ntpd default configs that (off the top of my head):

      a) have broadcast/multicastclient enabled
      b) point to some vendor's "pet" NTP servers
      c) do those fake, drifty stratum 10 clocks
         etc.

By comparison, spoofing was low on the list of headaches.  For what I
tend to care about, ntpd doesn't make sense until I scrub whatever the
default config is and do something simple from scratch.  And, I don't
really expect "strong security" unless I do authentication and|or can
reasoanbly validate the path to the stratum 0 reference clock.  

-Mike

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"As God is my witness, I thought turkeys could fly!"      -WKRP In Cincinnati

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.