Re: [chrony-dev] Traffic amplification with chrony commands

[Bill Unruh <unruh@xxxxxxxxxxxxxx>]

On Thu, 16 Jan 2014, Miroslav Lichvar wrote:

> On Mon, Jan 13, 2014 at 03:13:44PM -0800, Bill Unruh wrote:
>
> > chrony also has the chronyc type queries which can be sent to a remote IP.
> > Fortunately chronyd's default is to not accept queries from anything but the
> > local machine, instead of ntpd's default of accepting queries from
> > the world. However, if you do happen to make chronyd open to
> > accepting queries from the
> > world, you can get rather huge multiplication. The chronyc "help" for example put out
> > something like 3000 characters for a simple query. (although I am not sure
> > that the remote chronyd actually accepts the help command. Certainly chronyc
> > seems to answer this one locally).
>
> The help command just prints a message stored in chronyc, no packets
> are exchanged with the server.

That was what I seemed to discover as there were no packets exchanged when I
typed help on a remote chronyd from a local chronyc.

> I've checked packet lengths for all commands and the biggest offender
> is MANUAL_LIST (chronyc manual list), which may amplify the traffic by
> up to factor of 17.2. The second worse is CLIENT_ACCESSES_BY_INDEX
> (chronyc clients) with factor of 6.5, but the client has to be
> authenticated to get the reply. Everything else is below 3. In the
> protocol there is at most one reply per request.
>
> The MANUAL_LIST command is used to list up to 32 manual measurements,
> which were entered by the SETTIME command when the manual mode is
> enabled. It's disabled by default and I think it's unlikely that
> someone would use the manual mode on a system connected to internet.

I agree.

> So, what do we do? Pad all requests so they are never smaller than
> their replies? It wouldn't be very difficult to implement, but it
> would obviously break compatibility with older chrony versions. An

That does not sound like a great option, I agree.

> easy fix for MANUAL_LIST would be to require authentication.

That sounds fine. It does not seem that chrony is in any real danger of being
used for an amplification attack.

3-1 does not really sound like a terribly useful amplification.


> Any suggestions?
>
> The following table has details on all currently supported commands.
> The columns are name, flag if it's open to any client or requires
> authentication, minimum length of the request in IPv4 packet, maximum
> length of the reply in IPv4 packet and the ratio of the two values.
> MD5 authentication is assumed for commands with AUTH.
>
> MANUAL_LIST               OPEN   48  828  17.2
> CLIENT_ACCESSES_BY_INDEX  AUTH   72  468   6.5
> TRACKING                  OPEN   48  132   2.8
> SOURCESTATS               OPEN   52  112   2.2
> SOURCE_DATA               OPEN   52  104   2.0

Do sourcestats and source data depend on how may sources you have on your
system? Ie, if, for some stupid reason, I have 100 sources, does this produce
a far larger list?

The authentication ones one probably does not have to worry about, although
many are liable to use pretty simple keys I suspect (including the default
one-- should that default be removed?)



> RTCREPORT                 OPEN   48   84   1.8
> ACTIVITY                  OPEN   48   76   1.6
> N_SOURCES                 OPEN   48   60   1.2
> NULL                      OPEN   48   56   1.2
> WRITERTC                  AUTH   64   72   1.1
> TRIMRTC                   AUTH   64   72   1.1
> SETTIME                   AUTH   76   84   1.1
> RESELECTDISTANCE          AUTH   68   72   1.1
> RESELECT                  AUTH   64   72   1.1
> REKEY                     AUTH   64   72   1.1
> MODIFY_MAXUPDATESKEW      AUTH   68   72   1.1
> MANUAL_DELETE             AUTH   68   72   1.1
> MANUAL                    AUTH   68   72   1.1
> MAKESTEP                  AUTH   64   72   1.1
> DUMP                      AUTH   68   72   1.1
> DFREQ                     AUTH   68   72   1.1
> CYCLELOGS                 AUTH   64   72   1.1
> LOCAL                     AUTH   72   72   1.0
> DOFFSET                   AUTH   72   72   1.0
> LOGON                     OPEN   60   56   0.9
> DEL_SOURCE                AUTH   84   72   0.9
> CMDACCHECK                AUTH   84   72   0.9
> ACCHECK                   AUTH   84   72   0.9
> MODIFY_POLLTARGET         AUTH   88   72   0.8
> MODIFY_MINSTRATUM         AUTH   88   72   0.8
> MODIFY_MINPOLL            AUTH   88   72   0.8
> MODIFY_MAXPOLL            AUTH   88   72   0.8
> MODIFY_MAXDELAYRATIO      AUTH   88   72   0.8
> MODIFY_MAXDELAYDEVRATIO   AUTH   88   72   0.8
> MODIFY_MAXDELAY           AUTH   88   72   0.8
> DENYALL                   AUTH   88   72   0.8
> DENY                      AUTH   88   72   0.8
> CMDDENYALL                AUTH   88   72   0.8
> CMDDENY                   AUTH   88   72   0.8
> CMDALLOWALL               AUTH   88   72   0.8
> CMDALLOW                  AUTH   88   72   0.8
> ALLOWALL                  AUTH   88   72   0.8
> ALLOW                     AUTH   88   72   0.8
> ONLINE                    AUTH  104   72   0.7
> OFFLINE                   AUTH  104   72   0.7
> BURST                     AUTH  112   72   0.6
> ADD_SERVER                AUTH  116   72   0.6
> ADD_PEER                  AUTH  116   72   0.6

--
William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
UBC, Vancouver,BC  |   Program in Cosmology |     unruh@xxxxxxxxxxxxxx
Canada V6T 1Z1     |      and Gravity       |  www.theory.physics.ubc.ca/

--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.