Re: [chrony-dev] Traffic amplification with chrony commands

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] Traffic amplification with chrony commands
From: Bill Unruh <unruh@xxxxxxxxxxxxxx>
Date: Fri, 17 Jan 2014 08:16:17 -0800 (PST)

On Fri, 17 Jan 2014, Miroslav Lichvar wrote:

On Thu, Jan 16, 2014 at 07:50:33PM +0100, H�n Johansson wrote:

I would suggest what I think is called a nonce value.


I think that's what ntpd uses with the new mrulist command. The
advantage over the simple padding approach would be saved bandwidth,
but I'm not sure it's really worth the complication in the protocol.
It would break compatibility with older chrony versions in any case.

- Server picks some random number/string and keeps that.
- Client sends a response, without nonce.
- Server takes the apparent client IP and the string and makes some hash
  of that, the nonce value for that client IP.
- Server sends very short response to client, telling: if you want to
  talk to me from your IP (whatever it is), you have to also give this
  nonce.

- Client sends request again, now with nonce.
- Server checks nonce, and if happy sends the real response.

The server could pick a new random number/string every few hours or
minutes or so.


In chrony we would have to use MD5 as the hash unless the dependency
on nss/tomcrypt was no longer optional. How often would the random
number need to be regenerated considering MD5 is no longer secure? I'd
rather avoid having to think about that. :)


MD5 IS still secure for this purpose. It is deprecated, and it is possible to
craft two different messages which will have the same MD5 value (so one should
never md5 sign a text which was given to you by someone else without making
some change to it) plus it has some features which give people a slight worry,
but there have been no attacks which solve the "given md5 hash, find a text
which has that hash" problem. If one has a choice one should use something
else, but if one does not, I would not worry very much.

In case the source IP is faked, the only thing that will be sent to
the attack target is a small nonce.  So it should become a deflation
attack.


Yes, if the request is larger than the reply with nonce.


I think his proposal is that the first reply is just the nonce.


Thanks,


--
William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
UBC, Vancouver,BC  |   Program in Cosmology |     unruh@xxxxxxxxxxxxxx
Canada V6T 1Z1     |      and Gravity       |  www.theory.physics.ubc.ca/

Follow-Ups:
- Re: [chrony-dev] Traffic amplification with chrony commands
  - From: Håkan Johansson

References:
- [chrony-dev] Re: [chrony-users] Run chrony without acting as a NTP server
  - From: Bill Unruh
- [chrony-dev] Traffic amplification with chrony commands
  - From: Miroslav Lichvar
- Re: [chrony-dev] Traffic amplification with chrony commands
  - From: Håkan Johansson
- Re: [chrony-dev] Traffic amplification with chrony commands
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-dev] Traffic amplification with chrony commands
Next by Date: Re: [chrony-dev] Traffic amplification with chrony commands
Previous by thread: Re: [chrony-dev] Traffic amplification with chrony commands
Next by thread: Re: [chrony-dev] Traffic amplification with chrony commands

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/