Vulnerability of NTP

Andre Kesteloot andre.kesteloot at verizon.net
Thu Feb 27 14:23:59 CST 2014 

On 2/27/2014 7:41 AM, Robert Seastrom wrote:
> On Feb 26, 2014, at 10:28 PM, Andre Kesteloot <andre.kesteloot at verizon.net> wrote:
>
>> On 2/26/2014 20:21 PM, Robert Seastrom wrote:
>>> On Feb 25, 2014, at 11:50 PM, Andre Kesteloot <andre.kesteloot at verizon.net>
>>>   wrote:
>>>
>>>
>>>>> http://www.bbc.co.uk/news/technology-26136774
>>>>>   
>>>>>
>>> The article kind of misses the point, that it's not NTP or open servers that's the problem; it's amplification potential
>>>
>> (Dear, or Formerly Dear  -:) Rob,
>>
>> That's like saying "I want to leave my doors open at night, the problem is with those thieves out there".
>> Of course, yes, sure, the problem is the bad guys, but it is up to me and my friends to accept that, nowadays, I have to close and lock my doors and my windows (pun intended) at night.
>>
>> I 'd hate to disagree with you (in public), but the article did not miss the point: the title was clearly "the vulnerability of NTP."
>> Vulnerability is therefore what we are discussing.
> Referring to the original article, the word "amplify" or "amplification" is in there twice, yet the article does not make it clear that the mitigation is to simply turn off a debugging command that is in there as a relic of a simpler time.
>
> There is no particular vulnerability with the underlying NTP protocol; the problem rests with the "monlist" command and its 3000x amplification potential.  Stated another way, this is a problem with a popular implementation (ntpd), not a problem with NTP.
>
> So, I stand by my assertion that the article misses the point; the abuse potential for a spoofable protocol that does not provide amplification is low; one might as well just spoof the packets directly and be done with it (and people do, but attempts to mitigate this are a subject for a different discussion!)
>
>> And NTP (certainly a most useful thing) has been overwhelmed by a simple DOS (denial of service attack) and therefore, the NTP network itself/ --with all its advantages-- must be protected.
> Already done for pretty much all of the intentionally public servers out there were clamped down months ago, and at my day job we're iteratively going over all of our customer stuff, prioritized by abuse potential.
>
> By the way, NTP and the "NTP network" (not sure what that is) have not been overwhelmed; it's the poor folks whose addresses are spoofed as part of a coordinated attack are getting overwhelmed.  The NTP servers that are leveraged to be part of the attack generally continue working fine.
>
>> NTP, as you well know, is used by most computers connected to the Web today, just like Visa Cards are used by most human beings in the US.
>>
>> You would probably agree that attacks, against poorly-protected Visa Card databases, are the problems of the databases managers, not the problem of hackers trying to gain access to them.
>> http://business.time.com/2014/02/11/targets-hacking-fix-is-second-rate-says-consumer-reports/
> Actually the problem there is a business decision on the part of the credit card issuers (now being revisited) that mag stripe and signature would keep the fraud level down to tolerable levels and that the cost of implementing chip and signature or chip and pin exceeded the likely return on that investment.  For many years that was true, but those who don't periodically revisit the threat ecosystem eventually make themselves look like fools when they rail against the threat posed by the Kaiser...  and so it is with the credit card folks.

Yes, I am quite familiar with the problem.The fellow who is in charge of 
pushing the US Credit Card companies to get the new card is a Belgian 
Ham, good friend of mine. Comes two or 3 times a year to the US for 
meetings.  We then have dinner together, and he tells me that "la carte 
à puce" had not --so far-- been considered attractive by US banks, 
mainly because all points of sales, all around the US, wold need new 
interface boxes (in which you would insert your card).  Apparently, 
again so far, the main losers were businesses in Europe.
But the  recent disasters in December (Target, etc) have --finally--  
charged perception on this side of the Atlantic. (more to follow, if you 
are interested).

>
> Here is another point that should have been made by the article since it left you with an incorrect impression - your personal computer is almost certainly not vulnerable to being leveraged to be part of the attack for two reasons:
>
> 1) You are in all probability not running an NTP *server*.  You are running an NTP client, and a restricted one at that.
> 2) Your computer is behind a firewall with a "default deny inbound" policy.
I know that I do not operate  NTP server  :-)
The original BBC article, however, spoke of "

/Online security specialists Cloudflare said it recorded the "biggest" 
attack of its kind on Monday. Hackers used weaknesses in the Network 
Time Protocol (NTP), a system used to synchronise computer clocks, to 
flood servers with huge amounts of data.//The technique could 
potentially be used to force popular services off//line
/

"

> 73 (still dear, not formerly dear!)


of course  !
73
andré


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://amrad.org/pipermail/tacos/attachments/20140227/f248b7fa/attachment.html>

More information about the Tacos mailing list