Vulnerability of NTP

Robert Seastrom rs at seastrom.com
Thu Feb 27 06:41:59 CST 2014 

On Feb 26, 2014, at 10:28 PM, Andre Kesteloot <andre.kesteloot at verizon.net> wrote:

> On 2/26/2014 20:21 PM, Robert Seastrom wrote:
>> On Feb 25, 2014, at 11:50 PM, Andre Kesteloot <andre.kesteloot at verizon.net>
>>  wrote:
>> 
>> 
>>>> http://www.bbc.co.uk/news/technology-26136774
>>>>  
>>>> 
>> The article kind of misses the point, that it's not NTP or open servers that's the problem; it's amplification potential 
>> 
> 
> (Dear, or Formerly Dear  -:) Rob,
> 
> That's like saying "I want to leave my doors open at night, the problem is with those thieves out there". 
> Of course, yes, sure, the problem is the bad guys, but it is up to me and my friends to accept that, nowadays, I have to close and lock my doors and my windows (pun intended) at night.
> 
> I 'd hate to disagree with you (in public), but the article did not miss the point: the title was clearly "the vulnerability of NTP." 
> Vulnerability is therefore what we are discussing. 

Referring to the original article, the word "amplify" or "amplification" is in there twice, yet the article does not make it clear that the mitigation is to simply turn off a debugging command that is in there as a relic of a simpler time.

There is no particular vulnerability with the underlying NTP protocol; the problem rests with the "monlist" command and its 3000x amplification potential.  Stated another way, this is a problem with a popular implementation (ntpd), not a problem with NTP. 

So, I stand by my assertion that the article misses the point; the abuse potential for a spoofable protocol that does not provide amplification is low; one might as well just spoof the packets directly and be done with it (and people do, but attempts to mitigate this are a subject for a different discussion!)

> And NTP (certainly a most useful thing) has been overwhelmed by a simple DOS (denial of service attack) and therefore, the NTP network itself/ --with all its advantages-- must be protected.

Already done for pretty much all of the intentionally public servers out there were clamped down months ago, and at my day job we're iteratively going over all of our customer stuff, prioritized by abuse potential.

By the way, NTP and the "NTP network" (not sure what that is) have not been overwhelmed; it's the poor folks whose addresses are spoofed as part of a coordinated attack are getting overwhelmed.  The NTP servers that are leveraged to be part of the attack generally continue working fine.

> NTP, as you well know, is used by most computers connected to the Web today, just like Visa Cards are used by most human beings in the US.
> 
> You would probably agree that attacks, against poorly-protected Visa Card databases, are the problems of the databases managers, not the problem of hackers trying to gain access to them. 
> http://business.time.com/2014/02/11/targets-hacking-fix-is-second-rate-says-consumer-reports/

Actually the problem there is a business decision on the part of the credit card issuers (now being revisited) that mag stripe and signature would keep the fraud level down to tolerable levels and that the cost of implementing chip and signature or chip and pin exceeded the likely return on that investment.  For many years that was true, but those who don't periodically revisit the threat ecosystem eventually make themselves look like fools when they rail against the threat posed by the Kaiser...  and so it is with the credit card folks.  When it comes to outdated assumptions and technical cluelessness I don't wish a PCI compliance audit on anyone (though I her it might have gotten better in the decade since I've had to suffer one).

> If my computer uses NTP,  --and it does--  should it not be protected by "those in charge " (whoever they may be).

Here is another point that should have been made by the article since it left you with an incorrect impression - your personal computer is almost certainly not vulnerable to being leveraged to be part of the attack for two reasons:

1) You are in all probability not running an NTP *server*.  You are running an NTP client, and a restricted one at that.
2) Your computer is behind a firewall with a "default deny inbound" policy.

Sure you could be at the receiving end of the attack but the odds of that are no different than any other , and if you're well in tune with the status of certain services on the Internet that have been targets lately you've definitely seen the effects of the attacks.

It is *possible* that your FIREWALL/ROUTER might be vulnerable to being leveraged as part of this attack.  Macs and Windows boxes, even Linux desktop computers, generally update software (mostly automatically) on a regular basis.  When was the last time you updated the software on your firewall?  If you're like most people the answer is "never".  The article failed to make this very important point.  Missed opportunity.

> Considering the usefulness, as well as the vulnerabilities of  NTP, wouldn't it be a good idea if "Cyber Command" (or whoever else in Go'ment), whatever else they may be doing, were to get involved, considering the downside potential of doing nothing ?

We (industry) are already doing something; optimistically speaking governmental involvement is likely to be value-subtracted, too little too late.  It will however make us feel as if we're *doing something*, since after all *something must be done*.  I nominate Michael D. Brown as the ideal person to lead this effort.

> 73
> André

73 (still dear, not formerly dear!)

-r

More information about the Tacos mailing list