Thank you for clarifying my question. I learned a lot.

> it would not be sent as there is an additional check made before transmission 
> comparing the length of the request and response.

What comparison is done between the length of the request and response?

> If the NTP server didn't respond to unauthenticated NTP requests, it couldn't 
> respond with NTS NAK to indicate the client it has expired cookies.

I understand.
I think sending NTS NAK is necessary for mis-authenticated NTP packets, but not 
necessary for plain NTP packets.
Is my understanding correct?

I have another question.
RFC8915 describes "8.7. NTS Stripping". Isn't is applicable to Chrony?

Best Regards,

-----Original Message-----
From: Miroslav Lichvar <mlich...@redhat.com> 
Sent: Monday, January 9, 2023 9:42 PM
To: chrony-users@chrony.tuxfamily.org
Subject: Re: [chrony-users] RE: Can we deny non-NTS client?

On Mon, Jan 09, 2023 at 12:15:23PM +0000, akihiko.iz...@sony.com wrote:
> > chrony does not implement any modes that could amplify NTP traffic
> 
> Thank you.
> But I afraid NTP server is vulnerable to spoofed source IP address of NTP 
> client, it may participate DDoS attacks even though chrony does not amplify 
> NTP traffic (amplification factor is small).

A reflection (amplification factor of 1.0) does not seem to be useful.
If you can spoof the source address, why not send packets directly to the 
victim? At least, I have not heard of any DDoS attacks using a 1:1 reflection.

If that was an issue, many other protocols could be exploited, e.g.
TCP, ICMP.

In any case, NTP authentication doesn't prevent reflection. It actually makes 
it easier as the packets are longer, so a single server would reflect more 
traffic (if it is limited by packet rate).

--
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org 
with "unsubscribe" in the subject.
For help email chrony-users-requ...@chrony.tuxfamily.org 
with "help" in the subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.


--
To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org
with "unsubscribe" in the subject.
For help email chrony-users-requ...@chrony.tuxfamily.org
with "help" in the subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

Reply via email to