At 4:51 PM +0200 2005-09-12, Miroslaw Jaworski wrote:
My fault, could have darkened the subject for some :)
Yeah, it's generally a bad idea to go waving large red flags when
there are large bulls around, unless you have a specific need to be
waving large red flags. Otherwise, you generally don't want to
attract their attention, at least not in that way. ;)
BTW - when it comes to mechanics - i though of using ntpd with wrappers
and regenerating wrapper's included ntpd abusers static file every XX
minutes. No slow dynamically changing firewall rules, no frequent
static firewall rules updates and restarts influencing ntp service
quality.
TCP-Wrappers is not applicable, since NTP is a pure UDP-based
protocol. You really don't have any other place where you could
implement something like this, outside of a host firewall solution.
No. Because:
1. mail services are hundred times more often used
Oh? How many cisco routers do you think do e-mail? How many
SOHO router/gateways/access points do you think do e-mail? Take a
look at every single device on the entire Internet around the world,
and then realize that most of those devices can (and should) use
and/or serve NTP. Relatively few of them will do e-mail.
2. abusing mail services is much more hmm... beneficial to abusers
If you can abuse someone's time server, you create the
possibility make use of a whole host of replay attacks that would
otherwise be prevented by good time sync on those machines. All of
Kerberos breaks if you don't have good time sync, and Kerberos is
used as the basis for all modern Windows security.
Trust me, you really, really want to protect your time server,
because *everything* else in security is dependant on it.
3. mail blacklists work more or less real-time ( query every connect
to get the data about the second end )
Granted, an NTP black list would not be updated in real time, but
it would have to be consulted for each and every packet that crosses
each and every router, gateway, firewall, and protected NTP host on
the entire Internet. We would be providing a service with static
local files that are periodically updated for good reason -- we
couldn't possibly tell the entire Internet to hold one for a few
hundred milliseconds while we go do some DNS lookups on a given IP
address for a single NTP packet, and then tell them all to hold on
for a few hundred more milliseconds while we do that all over again
for the next NTP packet.
4. there a tens, possibly hundreds of thousands of mail systems
using blacklists
And there would be millions, tens of millions, hundreds of
millions, maybe even billions of machines that would be using this
black list. Yes, it would get a slow start, but it would rapidly
pick up as companies like Linksys and DLink decide to ship it turned
on by default with all their boxes.
We've seen the UWisc debacle once before. Hell, we've seen that
kind of debacle many times before, in various different guises. We
don't need to create yet another situation like that, all over again.
Here we talk about much smaller service, much less abused ( i can
hardly see benefits from abusing ntp, most ( all?) of the abuse is
unintentional ), without need to be real-time.
Security. Crackers have long known that DNS is a huge security
weakness, and it's trivially easy to poison the caches of nameservers
around the world. But as people slowly upgrade their machines, and
slowly upgrade their configurations, that's getting harder and harder
to do. Pharming is still the rage right now, but it's only going to
last for a few more years.
Security systems like Kerberos can protect against a whole wide
array of different types of replay-based attacks, but only if their
clocks are in good sync. Other attackers will simply go after
whatever they can, simply because they can. Or simply because they
can take you off the 'net, and then blackmail you to pay them
protection money, otherwise they will continue to DoS you off the
'net. Attackers have been going after NTP servers already, and this
kind of behaviour will only increase.
We're just seeing the tip of the iceberg. And we're in a little
life raft, not even a ship that's supposed to be unsinkable.
Some numbers to compare - dns queries from all my mail servers to
single dns blacklist are hundreds of thousands up to 1 million
per day ( some cached by my resolvers, i admit, therefore spamcops )
To protect my ntp server using ntp abuse blacklist i would need to
contact it 24 times a day ( to refresh a list every hour ), or ~100
( to refresh my wrappers every 15 minutes ).
Yes, but how often would that local black list be consulted?
Fortunately, I think it's now clear to you that we cannot possibly
serve that kind of data out of a dynamic system like the DNS, but we
still have to build our support network robustly enough that if some
Russian net.criminal comes after us, we will be likely to withstand
his attack.
To start such a project one won't need to have 7 people company-like
structure prepared. I know - it would be great to have such
operation structure, but noone would put the money into it.
You might not have to start with 7 FTEs, but I can assure you
that it would rapidly grow to the point where you'd need at least
that to properly secure the system against external attack, and to
make sure that the systems operations are robust enough that a single
machine deciding to die doesn't wipe out the whole thing.
You can't just do this on a shoestring budget on a 386 running
FreeBSD-1.1 and a single modem line. You will need some real
resources.
How did ntp pool project started? Were there 7 fulltime workers? :)
Or were there single subject "fans" with strong technical background?
Yeah, but you're not trying to run a black list. You're just
trying to run standard nameserver software with relatively standard
configurations, serving up one or more IP addresses when queried for
A records belonging to a given label. In terms of the high-level
description, that's about as simple as the DNS service gets.
Yes, there are a number of nameservers involved. Yes, there are
a few hundred records involved. Yes, there needs to be a monitoring
system that does "rotation" of the data within the zone, based on who
was most recently in the zone and what the various scores are. So,
it's not quite as simple as just standard DNS administration with a
few zones and a few hundred records. But overall, it's still a
reasonably simple task.
The workload for Adrian was bad enough that he had to bow out,
and I'm sure that the workload is not insignificant for Ask.
Even if you're not handling the black list dynamically via the
DNS, you'd still have to have a robust database storage system to
contain all the data that is periodically extracted out into the flat
text files.
When a user goes to the web page to see why he's being blocked,
that would need to be done against the database. When they file
their complaint with the help desk, there would need to be a response
within a reasonable period of time, and when the help desk staffers
go to look into the problem in more depth, they'd need to be able to
query the database as well.
The help desk staffers would also need to be able to hand-hold
the users through the process of modifying their NTP client
configuration so that it is no longer abusive, and is more
appropriate for their needs. The help desk staffers would also be
the first line of defense for any questions come from NTP server
administrators, and would need to be able to perform some basic
triage before handing over the problem to one of the black list
administrators.
The hardware would need to be enterprise-class, with
dual-redundant power supplies, dual redundant NICs, mirrored or RAID
server-class disks, etc..., so that no one single failure can take
you out.
All this hardware would also have to be hosted at a decent
co-location facility, one with reliable power, remote console, remote
power control (so you can do a hard reboot if you have to), remote
"hands-on" (when you need someone to go physically lay their hands on
the machine because you can't fix it remotely), backups, firewalls,
adequate network bandwidth to be able to sustain a large volume DDoS
attack against your segment, systems and network administration staff
available on-call 24x7, in case there is a serious problem, etc....
We're already doing most of this with the NTP Public Services
Project, with four primary volunteers who put in a lot of time on the
hardware day-in and day-out, and a number of other people who are
involved in various other aspects of operations and development on a
less frequent basis. And knowing what I know about operations like
MAPS and SpamHaus, I believe that we'd need a lot more resources than
we've got today, in order to properly run an NTP black list.
The primary problem is that by running a black list of any sort,
you've created an attractive nuisance. You're the equivalent of
Microsoft thumbing your nose at the hacker community, saying
something like:
Nyah, nyah, ne-nyah, nyah! You can't hack our XBox 360!!!
Or Sony doing that for the PSP (record: three weeks), or somesuch,
and you've just painted a huge red target on yourself. So, you need
to be able to predict what kind and level of attacks you can expect,
and you need to put in place defenses adequate to at least survive
those kinds and levels of attacks without excessive loss of service
to both sides of your community.
Otherwise, we might as well just keep Brown in charge of FEMA,
and let another Hurricane Katrina hit New Orleans all over again.
--
Brad Knowles, <[EMAIL PROTECTED]>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
