[chrony-dev] Re: [chrony-users] Run chrony without acting as a NTP server

[Bill Unruh <unruh@xxxxxxxxxxxxxx>]

How is chrony on the amplification attacks like those against ntpd? As I
understand it, the server queries can return far more information (ie many
more bytes) than is in the query packet. This allows an attacker to send
queries to ntpd with someone else's IP address in the slot, so ntpd will send
back far more informtion to that spoofed address than was in the query packet.
One can thus send out a small packet and have a huge packet delivered to that
spoofed address.

chrony also has the chronyc type queries which can be sent to a remote IP.
Fortunately chronyd's default is to not accept queries from anything but the
local machine, instead of ntpd's default of accepting queries from the world. 
However, if you do happen to make chronyd open to accepting queries from the
world, you can get rather huge multiplication. The chronyc "help" for example put out
something like 3000 characters for a simple query. (although I am not sure
that the remote chronyd actually accepts the help command. Certainly chronyc
seems to answer this one locally).

Should this be restricted?


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.