On 2014-02-06, Brian Utterback <[email protected]> wrote: > I recently received a question from a customer about CVE-201305211, the > monlist amplification attack. Specifically they asked if the attack > affected xntpd. They had another vendor that said no, that the attack > only affects ntpd. This surprised me since as far as I know the monlist > mechanism is the same in xntpd. I thought the vendor was merely > incorrect. However, I then read the CERT and NIST versions of the CVE > and there is no mention of xntpd. Indeed, a literal reading of the CVE > does indeed imply that xntpd is not vulnerable.
Any system which returns a longer output to a query than the input can be used in an amplification attack. If that difference is less than a factor of 2 is probably not worth it for the attacker. If it is a factor of 10 it is. So what is the length of the responses to a query as a fraction of the query length. That will tell you. chrony has just had a release in which the query is now intentially padded to be at least as long as the response, and if it is not it is discarded. > > I don't think I am wrong about xntpd being vulnerable. If I am, please > correct me. But if I am not, we should probably see about getting the > CVE amended. > _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
