Re: [chrony-dev] Traffic amplification with chrony commands

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Thu, 16 Jan 2014, Miroslav Lichvar wrote:

On Mon, Jan 13, 2014 at 03:13:44PM -0800, Bill Unruh wrote:

chrony also has the chronyc type queries which can be sent to a remote IP.
Fortunately chronyd's default is to not accept queries from anything but the
local machine, instead of ntpd's default of accepting queries from
the world. However, if you do happen to make chronyd open to
accepting queries from the
world, you can get rather huge multiplication. The chronyc "help" for example put out
something like 3000 characters for a simple query. (although I am not sure
that the remote chronyd actually accepts the help command. Certainly chronyc
seems to answer this one locally).

The help command just prints a message stored in chronyc, no packets
are exchanged with the server.

That was what I seemed to discover as there were no packets exchanged when I
typed help on a remote chronyd from a local chronyc.


I've checked packet lengths for all commands and the biggest offender
is MANUAL_LIST (chronyc manual list), which may amplify the traffic by
up to factor of 17.2. The second worse is CLIENT_ACCESSES_BY_INDEX
(chronyc clients) with factor of 6.5, but the client has to be
authenticated to get the reply. Everything else is below 3. In the
protocol there is at most one reply per request.

The MANUAL_LIST command is used to list up to 32 manual measurements,
which were entered by the SETTIME command when the manual mode is
enabled. It's disabled by default and I think it's unlikely that
someone would use the manual mode on a system connected to internet.

I agree.


So, what do we do? Pad all requests so they are never smaller than
their replies? It wouldn't be very difficult to implement, but it
would obviously break compatibility with older chrony versions. An

That does not sound like a great option, I agree.

easy fix for MANUAL_LIST would be to require authentication.

That sounds fine. It does not seem that chrony is in any real danger of being
used for an amplification attack.

3-1 does not really sound like a terribly useful amplification.



Any suggestions?

The following table has details on all currently supported commands.
The columns are name, flag if it's open to any client or requires
authentication, minimum length of the request in IPv4 packet, maximum
length of the reply in IPv4 packet and the ratio of the two values.
MD5 authentication is assumed for commands with AUTH.

MANUAL_LIST               OPEN   48  828  17.2
CLIENT_ACCESSES_BY_INDEX  AUTH   72  468   6.5
TRACKING                  OPEN   48  132   2.8
SOURCESTATS               OPEN   52  112   2.2
SOURCE_DATA               OPEN   52  104   2.0

Do sourcestats and source data depend on how may sources you have on your
system? Ie, if, for some stupid reason, I have 100 sources, does this produce
a far larger list?

The authentication ones one probably does not have to worry about, although
many are liable to use pretty simple keys I suspect (including the default
one-- should that default be removed?)



RTCREPORT                 OPEN   48   84   1.8
ACTIVITY                  OPEN   48   76   1.6
N_SOURCES                 OPEN   48   60   1.2
NULL                      OPEN   48   56   1.2
WRITERTC                  AUTH   64   72   1.1
TRIMRTC                   AUTH   64   72   1.1
SETTIME                   AUTH   76   84   1.1
RESELECTDISTANCE          AUTH   68   72   1.1
RESELECT                  AUTH   64   72   1.1
REKEY                     AUTH   64   72   1.1
MODIFY_MAXUPDATESKEW      AUTH   68   72   1.1
MANUAL_DELETE             AUTH   68   72   1.1
MANUAL                    AUTH   68   72   1.1
MAKESTEP                  AUTH   64   72   1.1
DUMP                      AUTH   68   72   1.1
DFREQ                     AUTH   68   72   1.1
CYCLELOGS                 AUTH   64   72   1.1
LOCAL                     AUTH   72   72   1.0
DOFFSET                   AUTH   72   72   1.0
LOGON                     OPEN   60   56   0.9
DEL_SOURCE                AUTH   84   72   0.9
CMDACCHECK                AUTH   84   72   0.9
ACCHECK                   AUTH   84   72   0.9
MODIFY_POLLTARGET         AUTH   88   72   0.8
MODIFY_MINSTRATUM         AUTH   88   72   0.8
MODIFY_MINPOLL            AUTH   88   72   0.8
MODIFY_MAXPOLL            AUTH   88   72   0.8
MODIFY_MAXDELAYRATIO      AUTH   88   72   0.8
MODIFY_MAXDELAYDEVRATIO   AUTH   88   72   0.8
MODIFY_MAXDELAY           AUTH   88   72   0.8
DENYALL                   AUTH   88   72   0.8
DENY                      AUTH   88   72   0.8
CMDDENYALL                AUTH   88   72   0.8
CMDDENY                   AUTH   88   72   0.8
CMDALLOWALL               AUTH   88   72   0.8
CMDALLOW                  AUTH   88   72   0.8
ALLOWALL                  AUTH   88   72   0.8
ALLOW                     AUTH   88   72   0.8
ONLINE                    AUTH  104   72   0.7
OFFLINE                   AUTH  104   72   0.7
BURST                     AUTH  112   72   0.6
ADD_SERVER                AUTH  116   72   0.6
ADD_PEER                  AUTH  116   72   0.6



--
William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
UBC, Vancouver,BC  |   Program in Cosmology |     unruh@xxxxxxxxxxxxxx
Canada V6T 1Z1     |      and Gravity       |  www.theory.physics.ubc.ca/

--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/