Re: [ntp:questions] better rate limiting against amplification attacks?
A C wrote: On 1/8/2014 18:31, William Unruh wrote: But this sounds like it is shooting someone else in the foot. That is more serious. Ie, the default is that you should have to work quite hard to enable the system to run these amplification attacks (I assume that this is using the control system to send control/info packets, rather than ntp time protocol packets) It is unclear (or, more correctly, not publicly documented yet) whether the attack used the monlist function (outlined in a CERT advisory in December) or some other method utilizing NTP protocols. But it was enough of an attack to cripple the gaming servers for some time. It is indeed using the 'ntpdc -c monlist' mode 7 packet with a faked sender to do these attacks, we've added 'noquery' to our three external ipv4 pool servers. (This is after our CERT guys saw multiple attempts to use those servers as part of a DDOS attack.) My home ipv6 server still allows external users to ask for the monitor list, but only via the new 'ntpq -c mrulist' interface which is safe against fake sender/redirect attacks. Terje -- - Terje.Mathisen at tmsw.no almost all programming can be viewed as an exercise in caching ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] enable pps not working from ntp.conf
On Wed, 08 Jan 2014 22:50:21 +, William Unruh wrote: On 2014-01-08, Harlan Stenn st...@ntp.org wrote: Brian Inglis writes: On 2014-01-07 09:55, Dennis Golden wrote: I have searched to find an answer to this problem with no success. I am using the oncore clock (127.127.30.0) and have included enable pps in ntp.conf, but I get the following in /var/log messages: line 59 column 8 syntax error, unexpected T_String syntax error in /etc/ntp.conf line 59, column 8 I can use ntpdc to set this option with no problem. Any ideas? enable pps is documented in the miscopt.html command summary lines: enable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats] disable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats ] Not as of 4.2.7p410. But it is as of 4.2.6p5 even though it does not work there. Ie, sometimes the documentation and the progam are not quite in sync. (not entirely surprizing). In this case it looks like someone tried to take it out of the docs, but missed the |pps| in the line giving the options of the enable/disable commands. They did remove the explanation of what this option means. But if I use ntpdc: ntpdc enable pps done! ntpdc quit I see this with tail /var/log/ntp: 9 Jan 04:26:17 ntpd[19607]: GPS_ONCORE(0) 87b4 84 reachable 9 Jan 09:07:46 ntpd[19607]: GPS_ONCORE(0) 87c3 83 unreachable 9 Jan 09:07:48 ntpd[19607]: 96.226.242.9 961a 8a sys_peer 9 Jan 09:08:47 ntpd[19607]: GPS_ONCORE(0) 80d4 84 reachable 9 Jan 09:08:47 ntpd[19607]: GPS_ONCORE(0) 90ea 8a sys_peer 9 Jan 09:13:54 ntpd[19607]: GPS_ONCORE(0) 87f3 83 unreachable 9 Jan 09:18:56 ntpd[19607]: 96.226.242.9 941a 8a sys_peer 9 Jan 09:22:26 ntpd[19607]: GPS_ONCORE(0) 8713 83 unreachable 9 Jan 09:22:41 ntpd[19607]: GPS_ONCORE(0) 8724 84 reachable 9 Jan 10:38:59 ntpd[19607]: 0.0.0.0 041d 0d kern PPS enabled And this with tail /var/lib/ntp/tmp/protostats: 5 37577.185 GPS_ONCORE(0) 87b4 84 reachable 5 54466.517 GPS_ONCORE(0) 87c3 83 unreachable 5 54468.518 96.226.242.9 961a 8a sys_peer 5 54527.186 GPS_ONCORE(0) 80d4 84 reachable 5 54527.186 GPS_ONCORE(0) 90ea 8a sys_peer 5 54834.517 GPS_ONCORE(0) 87f3 83 unreachable 5 55136.530 96.226.242.9 941a 8a sys_peer 5 55346.517 GPS_ONCORE(0) 8713 83 unreachable 5 55361.190 GPS_ONCORE(0) 8724 84 reachable 5 59939.189 0.0.0.0 041d 0d kern PPS enabled Regards, Dennis -- Dennis Golden Golden Consulting Services Change 'invalid' to 'com' to reply by email. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] enable pps not working from ntp.conf
On Thu, 09 Jan 2014 16:50:30 +, Dennis Golden wrote: On Wed, 08 Jan 2014 22:50:21 +, William Unruh wrote: On 2014-01-08, Harlan Stenn st...@ntp.org wrote: Brian Inglis writes: On 2014-01-07 09:55, Dennis Golden wrote: I have searched to find an answer to this problem with no success. I am using the oncore clock (127.127.30.0) and have included enable pps in ntp.conf, but I get the following in /var/log messages: line 59 column 8 syntax error, unexpected T_String syntax error in /etc/ntp.conf line 59, column 8 I can use ntpdc to set this option with no problem. Any ideas? enable pps is documented in the miscopt.html command summary lines: enable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats] disable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats ] Not as of 4.2.7p410. But it is as of 4.2.6p5 even though it does not work there. Ie, sometimes the documentation and the progam are not quite in sync. (not entirely surprizing). In this case it looks like someone tried to take it out of the docs, but missed the |pps| in the line giving the options of the enable/disable commands. They did remove the explanation of what this option means. But if I use ntpdc: ntpdc enable pps done! ntpdc quit snip Sorry for the lack of formating tail /var/log/ntp: 9 Jan 04:26:17 ntpd[19607]: GPS_ONCORE(0) 87b4 84 reachable 9 Jan 09:07:46 ntpd[19607]: GPS_ONCORE(0) 87c3 83 unreachable 9 Jan 09:07:48 ntpd[19607]: 96.226.242.9 961a 8a sys_peer 9 Jan 09:08:47 ntpd[19607]: GPS_ONCORE(0) 80d4 84 reachable 9 Jan 09:08:47 ntpd[19607]: GPS_ONCORE(0) 90ea 8a sys_peer 9 Jan 09:13:54 ntpd[19607]: GPS_ONCORE(0) 87f3 83 unreachable 9 Jan 09:18:56 ntpd[19607]: 96.226.242.9 941a 8a sys_peer 9 Jan 09:22:26 ntpd[19607]: GPS_ONCORE(0) 8713 83 unreachable 9 Jan 09:22:41 ntpd[19607]: GPS_ONCORE(0) 8724 84 reachable 9 Jan 10:38:59 ntpd[19607]: 0.0.0.0 041d 0d kern PPS enabled And this with tail /var/lib/ntp/tmp/protostats: 5 37577.185 GPS_ONCORE(0) 87b4 84 reachable 5 54466.517 GPS_ONCORE(0) 87c3 83 unreachable 5 54468.518 96.226.242.9 961a 8a sys_peer 5 54527.186 GPS_ONCORE(0) 80d4 84 reachable 5 54527.186 GPS_ONCORE(0) 90ea 8a sys_peer 5 54834.517 GPS_ONCORE(0) 87f3 83 unreachable 5 55136.530 96.226.242.9 941a 8a sys_peer 5 55346.517 GPS_ONCORE(0) 8713 83 unreachable 5 55361.190 GPS_ONCORE(0) 8724 84 reachable 5 59939.189 0.0.0.0 041d 0d kern PPS enabled -- Dennis Golden Golden Consulting Services Change 'invalid' to 'com' to reply by email. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] enable pps not working from ntp.conf
On Thu, 09 Jan 2014 17:05:04 +, Dennis Golden wrote: On Thu, 09 Jan 2014 16:50:30 +, Dennis Golden wrote: On Wed, 08 Jan 2014 22:50:21 +, William Unruh wrote: On 2014-01-08, Harlan Stenn st...@ntp.org wrote: Brian Inglis writes: On 2014-01-07 09:55, Dennis Golden wrote: I have searched to find an answer to this problem with no success. I am using the oncore clock (127.127.30.0) and have included enable pps in ntp.conf, but I get the following in /var/log messages: line 59 column 8 syntax error, unexpected T_String syntax error in /etc/ntp.conf line 59, column 8 I can use ntpdc to set this option with no problem. Any ideas? enable pps is documented in the miscopt.html command summary lines: enable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats] disable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats ] Not as of 4.2.7p410. But it is as of 4.2.6p5 even though it does not work there. Ie, sometimes the documentation and the progam are not quite in sync. (not entirely surprizing). In this case it looks like someone tried to take it out of the docs, but missed the |pps| in the line giving the options of the enable/disable commands. They did remove the explanation of what this option means. But if I use ntpdc: ntpdc enable pps done! ntpdc quit snip I give up. I see some of you able to post nicely formatted information. What news reader are you using. I'm using pan2. Dennis -- Dennis Golden Golden Consulting Services Change 'invalid' to 'com' to reply by email. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] enable pps not working from ntp.conf
On 01/09/2014 06:15 PM, Dennis Golden wrote: I give up. I see some of you able to post nicely formatted information. What news reader are you using. I'm using pan2. Your messages as seen here were properly formatted. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] enable pps not working from ntp.conf
On 2014-01-09, Dennis Golden dgolden@golden-consulting.invalid wrote: I give up. I see some of you able to post nicely formatted information. Using a fixed width font makes a big difference. What news reader are you using. I'm using pan2. Take a look at the article headers to see what a particular author is using. I use slrn, a text mode news-reader: http://www.slrn.org In this thread I found: User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2) User-Agent: slrn/0.9.9p1 (Linux) X-Mailer: MH-E 7.4.2; nmh 1.5; XEmacs 21.4 (patch 22) -- Steve Kostecke koste...@ntp.org NTP Public Services Project - http://support.ntp.org/ ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] better rate limiting against DDoS amplification attacks?
On 2014-01-08 21:24, Harlan Stenn wrote: William Unruh writes: On 2014-01-09, A C agcarver+...@acarver.net wrote: http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game -sites-abused-webs-time-synch-protocol/ Here's a live amplification attack at work. As I wrote in another post I believe the time is ripe for a sensible default builtin configuration, which can then be overridden with ntp.conf. You suggestion in your previous message is very similar to what I wanted, i.e. the default is to have a pure client using the pool. As soon as you start writing detailed ntp.conf options I want you to have the ability to shoot yourself in the foot, if that is your wish. But this sounds like it is shooting someone else in the foot. That is more serious. Ie, the default is that you should have to work quite hard to enable the system to run these amplification attacks (I assume that this is using the control system to send control/info packets, rather than ntp time protocol packets) I'm not seeing any new information here. For DECADES people did not take malicious advantage of things like this. Now some folks are. The root problem is not an issue for ntp-4.2.7, and there is a simple solution for earlier versions. How about we limit discussion on this thread to actual new information? This looks like valuable configuration/operation advice easily found by searches, which is not easily found on NTF, NTP, Pool, or other time server sites, or these problems would not be occurring, and these discussions would not be required. Given this attack is now active in the wild, it would be good to see prominent notices on the above support sites linking to advice on how to deal with this threat: upgrading to dev releases, where that is possible, or defensive measure for older releases, where orgs can not upgrade from distro or vendor supported releases because of software support policies. Could you perhaps have someone state the simple solution for earlier versions on the NTP support site where it can be easily found, and link to it here? Future discussions could then be truncated by providing that link. Saying upgrade, authenticate, or RTFM could lead to drastic responses like firewall blocking by ISPs and orgs, because of financial and liability risks to individuals and orgs currently allowing these services, with consequent reductions of public and pool server availability, and higher loads on those well known sources still accessible. -- Take care. Thanks, Brian Inglis ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] better rate limiting against DDoS amplification attacks?
On 2014-01-10, Brian Inglis brian.ing...@systematicsw.ab.ca wrote: On 2014-01-08 21:24, Harlan Stenn wrote: [---=| Quote block shrinked by t-prot: 22 lines snipped |=---] I'm not seeing any new information here. [snip] Could you perhaps have someone state the simple solution for earlier versions on the NTP support site where it can be easily found, and link to it here? Future discussions could then be truncated by providing that link. I've attempted to intiate some discussion about this in another forum and am still waiting for replies. -- Steve Kostecke koste...@ntp.org NTP Public Services Project - http://support.ntp.org/ ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] enable pps not working from ntp.conf
Below is what it looks like to me. Assuming that the are at the beginning of the lines. On 2014-01-09, Dennis Golden dgolden@golden-consulting.invalid wrote: On Thu, 09 Jan 2014 16:50:30 +, Dennis Golden wrote: On Wed, 08 Jan 2014 22:50:21 +, William Unruh wrote: On 2014-01-08, Harlan Stenn st...@ntp.org wrote: Brian Inglis writes: On 2014-01-07 09:55, Dennis Golden wrote: I have searched to find an answer to this problem with no success. I am using the oncore clock (127.127.30.0) and have included enable pps in ntp.conf, but I get the following in /var/log messages: line 59 column 8 syntax error, unexpected T_String syntax error in /etc/ntp.conf line 59, column 8 I can use ntpdc to set this option with no problem. Any ideas? enable pps is documented in the miscopt.html command summary lines: enable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats] disable [ auth | bclient | calibrate | kernel | monitor | ntp | pps | stats ] Not as of 4.2.7p410. But it is as of 4.2.6p5 even though it does not work there. Ie, sometimes the documentation and the progam are not quite in sync. (not entirely surprizing). In this case it looks like someone tried to take it out of the docs, but missed the |pps| in the line giving the options of the enable/disable commands. They did remove the explanation of what this option means. But if I use ntpdc: ntpdc enable pps done! ntpdc quit snip Sorry for the lack of formating tail /var/log/ntp: 9 Jan 04:26:17 ntpd[19607]: GPS_ONCORE(0) 87b4 84 reachable 9 Jan 09:07:46 ntpd[19607]: GPS_ONCORE(0) 87c3 83 unreachable 9 Jan 09:07:48 ntpd[19607]: 96.226.242.9 961a 8a sys_peer 9 Jan 09:08:47 ntpd[19607]: GPS_ONCORE(0) 80d4 84 reachable 9 Jan 09:08:47 ntpd[19607]: GPS_ONCORE(0) 90ea 8a sys_peer 9 Jan 09:13:54 ntpd[19607]: GPS_ONCORE(0) 87f3 83 unreachable 9 Jan 09:18:56 ntpd[19607]: 96.226.242.9 941a 8a sys_peer 9 Jan 09:22:26 ntpd[19607]: GPS_ONCORE(0) 8713 83 unreachable 9 Jan 09:22:41 ntpd[19607]: GPS_ONCORE(0) 8724 84 reachable 9 Jan 10:38:59 ntpd[19607]: 0.0.0.0 041d 0d kern PPS enabled And this with tail /var/lib/ntp/tmp/protostats: 5 37577.185 GPS_ONCORE(0) 87b4 84 reachable 5 54466.517 GPS_ONCORE(0) 87c3 83 unreachable 5 54468.518 96.226.242.9 961a 8a sys_peer 5 54527.186 GPS_ONCORE(0) 80d4 84 reachable 5 54527.186 GPS_ONCORE(0) 90ea 8a sys_peer 5 54834.517 GPS_ONCORE(0) 87f3 83 unreachable 5 55136.530 96.226.242.9 941a 8a sys_peer 5 55346.517 GPS_ONCORE(0) 8713 83 unreachable 5 55361.190 GPS_ONCORE(0) 8724 84 reachable 5 59939.189 0.0.0.0 041d 0d kern PPS enabled ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions