-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For the record I haven't decided whether a blacklist of abusive clients is necessary or not, although I'm leaning towards thinking it's not a bad idea.
Brad Knowles wrote: > At 4:51 PM +0200 2005-09-12, Miroslaw Jaworski wrote: >> BTW - when it comes to mechanics - i though of using ntpd with wrappers >> and regenerating wrapper's included ntpd abusers static file every XX >> minutes. No slow dynamically changing firewall rules, no frequent >> static firewall rules updates and restarts influencing ntp service >> quality. > > TCP-Wrappers is not applicable, since NTP is a pure UDP-based > protocol. You really don't have any other place where you could > implement something like this, outside of a host firewall solution. I'm not sure whether Miroslaw was talking about tcp-wrappers or not, but a better solution might be to make ntpd aware of a file on disk (perhaps a hash like postfix uses for lookups) that contains an IP address (or classless blocks with mask) per line and it can internally do a lookup to see whether to respond to the client or not. >> No. Because: >> 1. mail services are hundred times more often used > > Oh? How many cisco routers do you think do e-mail? How many SOHO > router/gateways/access points do you think do e-mail? Take a look at > every single device on the entire Internet around the world, and then > realize that most of those devices can (and should) use and/or serve > NTP. Relatively few of them will do e-mail. And absolutely none of them would ever need to look-up the blacklist. You said it yourself, they should be *using* ntp, not *serving* ntp. The only machines that would need to query the blacklist will be the (currently 370) servers that are part of the pool. And that would only include servers where the admin feels it's a problem. Blacklists are run on the servers providing a service, not on the clients. This is even the case with SMTP blacklists. If you're involved like you say you are you should know this. >> 2. abusing mail services is much more hmm... beneficial to abusers Not necessarily, as Brad points out below. Abusing mail services might be more beneficial to spammers, but abusing time services might be more beneficial to crackers. > If you can abuse someone's time server, you create the possibility > make use of a whole host of replay attacks that would otherwise be > prevented by good time sync on those machines. All of Kerberos breaks > if you don't have good time sync, and Kerberos is used as the basis for > all modern Windows security. > > Trust me, you really, really want to protect your time server, > because *everything* else in security is dependant on it. Definitely. However, the blacklist is not about protecting the clients time, it's about protecting the server providing that time. >> 4. there a tens, possibly hundreds of thousands of mail systems >> using blacklists > > And there would be millions, tens of millions, hundreds of millions, > maybe even billions of machines that would be using this black list. > Yes, it would get a slow start, but it would rapidly pick up as > companies like Linksys and DLink decide to ship it turned on by default > with all their boxes. As I've mentioned above, absolutely none of those routers / desktops / fridges will ever need to query the blacklist. They are the clients, not the servers. >> To protect my ntp server using ntp abuse blacklist i would need to >> contact it 24 times a day ( to refresh a list every hour ), or ~100 >> ( to refresh my wrappers every 15 minutes ). > > Yes, but how often would that local black list be consulted? Why does it matter if it's local, especially if it's some sort of bdb and not actually stored in memory? > Fortunately, I think it's now clear to you that we cannot possibly serve > that kind of data out of a dynamic system like the DNS, but we still > have to build our support network robustly enough that if some Russian > net.criminal comes after us, we will be likely to withstand his attack. I agree that DNS is a really bad idea for setting this up. A simple text file that is wgetted every 15 minutes would be a much better solution. > You can't just do this on a shoestring budget on a 386 running > FreeBSD-1.1 and a single modem line. You will need some real resources. Depends on what you're trying to do. A 386 would be able to run a simple database and periodically generate a text file that is then uploaded to 2 or 3 web servers with good connectivity without any problems at all. > When a user goes to the web page to see why he's being blocked, that > would need to be done against the database. When they file their > complaint with the help desk, there would need to be a response within a > reasonable period of time, and when the help desk staffers go to look > into the problem in more depth, they'd need to be able to query the > database as well. You're assuming that people will even know they've been blacklisted. It won't be like SMTP where you actually get a message. The only way to knowing you've been blacklisted with NTP will be that all your servers have a reachability of 0. How many users are likely to put two-and-two together? Having said that, it might be worth sending an email to the administrator of the net block where the abuse is coming from and asking them to fix their ntp client. Someone else on this list has posted that they have had good success with doing this. > The help desk staffers would also need to be able to hand-hold the > users through the process of modifying their NTP client configuration so > that it is no longer abusive, and is more appropriate for their needs. The owner of the server that adds the client to the blacklist should be able to handle this, and if not then we should be able to get a few people together who can volunteer to do this. > The hardware would need to be enterprise-class, with dual-redundant > power supplies, dual redundant NICs, mirrored or RAID server-class > disks, etc..., so that no one single failure can take you out. You haven't worked in the SME sector for a __long__ time have you? We're talking about a simple text file of IP addresses that have been noticed to be sending too many queries, not the online ordering system for Dell. Regards Darryl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDJnEJ/XQ6DbmPjokRApwZAJ93+jE1HXK8/54iHyQLHl/BWBFecQCfbN3+ t5Vlq/wFrzRrOS8s9+py+3o= =6exV -----END PGP SIGNATURE----- _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
