On Wed, Oct 21, 2015 at 03:13:02PM -0400, Jared Mauch wrote: > with this public disclosure: http://www.cs.bu.edu/~goldbe/NTPattack.html
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705 Few more comments on this issue. The fix that was included in ntp-4.2.8p4 added a log message that should warn that ntpd as a client is under attack. That can be helpful for the user to know, but it doesn't really fix the issue on the server which has enabled rate limiting. I think it also creates a new problem that an attacker could spam the client's syslog with these messages and fill the disk. Harlan, could you please consider adding a rate limit for the message to prevent that? As for fixing the CVE, the NTPattack paper suggests to not drop all packets from rate limited clients, but reply randomly (similarly to RRL in DNS) to some percentage of the requests that appear to be coming from the client, so it will not be completely starved. I like the idea. The question is how restrict kod fits into this when it's enabled. Maybe some percentage of the replies could be KoD packets. For example, a client that is under the attack would get on average one reply for eight requests and from that one in eight would be a KoD RATE reply. Does that seem reasonable? -- Miroslav Lichvar _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
