[nsp-sec] NTP probes visiting a net near you
Gert Doering
gert at greenie.muc.de
Thu Jan 7 10:21:47 EST 2010
Hi,
On Thu, Jan 07, 2010 at 01:32:12PM +0000, Nick Hilliard wrote:
> On 26/12/2009 17:13, Nick Hilliard wrote:
> > Worse still, while time query request packets are the same size as time
> > query response packets:
>
> and, almost on cue, it turns out that ntp is susceptible to a bounce
> attack. Again, quite nasty for ntp servers with access to lots of bandwidth.
>
> http://www.kb.cert.org/vuls/id/568372
Nick, you're running in circles :-) - this CERT vuln was the *start* of
this thread...
To come back to my original thoughts on whether an "open" NTP server is a
bad thing. I'd flag any NTP server that respons to any sort of control
packet (which could be used for amplification or ping-pong attacks) as
"bad, needs patching".
For NTP servers that only answer to time queries, I see them as a public
service (pool.ntp.org comes to mind...) and I do not think that this is
bad in any way - well, what you can do is packet reflection, but it's
not amplification, so the gain is small.
gert
--
Gert Doering
SpaceNet AG, AS 5539, gert at space.net. PGP-KeyID: 0x65514975
Also reachable via gert at greenie.muc.de and gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20100107/f28fe756/attachment-0001.sig>
More information about the nsp-security
mailing list