| Re: [chrony-dev] Traffic amplification with chrony commands |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
On Thu, Jan 16, 2014 at 10:52:55AM -0800, Bill Unruh wrote:
> On Thu, 16 Jan 2014, Miroslav Lichvar wrote:
> >easy fix for MANUAL_LIST would be to require authentication.
>
> That sounds fine. It does not seem that chrony is in any real danger of being
> used for an amplification attack.
>
> 3-1 does not really sound like a terribly useful amplification.
Does it? I'm still not sure about this.
> >SOURCESTATS OPEN 52 112 2.2
> >SOURCE_DATA OPEN 52 104 2.0
>
> Do sourcestats and source data depend on how may sources you have on your
> system? Ie, if, for some stupid reason, I have 100 sources, does this produce
> a far larger list?
No. There is at most one reply per request. The sourcestats and source
replies contain data only for one source. With 100 sources, the client
has to make 100 requests.
> The authentication ones one probably does not have to worry about, although
> many are liable to use pretty simple keys I suspect (including the default
> one-- should that default be removed?)
You mean this file?
http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=blob;f=examples/chrony.keys.example
It was updated in 1.28. Hopefully users are switching to the automatic
random password generation (generatecommandkey in chrony.conf) and
chronyc -a instead of using short memorable passwords.
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.