[chrony-users] chrony and recent vulnerabilities in ntpd

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] chrony and recent vulnerabilities in ntpd
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Fri, 23 Oct 2015 15:10:39 +0200

https://www.cs.bu.edu/~goldbe/NTPattack.html

For anyone wondering about this and the other vulnerabilities that
were recently fixed in ntpd, I think none of them are in chronyd. Here
are some comments.

As a client, chronyd does supports KoD RATE packets and it sets the
minimum polling interval, but it doesn't accept spoofed replies. Also,
the source port is random since chrony-1.30, which would make the
attack more difficult.

As a server, chronyd doesn't support rate limiting or KoD RATE.

As for the clock stepping issue, chronyd by default doesn't do any
steps from network, only the makestep and initstepslew directives
allow that. The makestep directive works as described, it allows the
clock to be stepped only in the number of updates that was specified.

Allowing chronyd to always step using the -1 limit is not recommended.
If you know your clock can't be wildly off after start, it's
recommended to not use makestep at all. At worst, a MITM attacker can
speed up or slow down your clock by 10%.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] Problem with authentication algorithm
Next by Date: Re: [chrony-users] Problem with authentication algorithm
Previous by thread: [chrony-users] chrony-2.2 released

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/