Re: [chrony-dev] Traffic amplification with chrony commands

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] Traffic amplification with chrony commands
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Tue, 28 Jan 2014 17:10:19 +0100

On Thu, Jan 16, 2014 at 07:40:56PM +0100, Miroslav Lichvar wrote:
> The following table has details on all currently supported commands.
> The columns are name, flag if it's open to any client or requires
> authentication, minimum length of the request in IPv4 packet, maximum
> length of the reply in IPv4 packet and the ratio of the two values.
> MD5 authentication is assumed for commands with AUTH.
> 
> MANUAL_LIST               OPEN   48  828  17.2

While preparing patches to address this issue I noticed that chronyd
keeps at most 16 manual samples, so the reply packet is never full and
the maximum possible amplification factor is 9.2.

> NULL                      OPEN   48   56   1.2

There is an issue with this one that wasn't mentioned before. When
chronyd receives a request with bad version, bad length (but with full
header) or from a host that's not allowed by cmdallow, it will send
a NULL reply with the STT_BADPKTVERSION, STT_BADPKTLENGTH,
STT_NOHOSTACCESS error status even when the host is not allowed by
cmdallow.

This means some small amplification is possible with any address
unless it's blocked by firewall or chronyd is configured with the
bindcmdaddress directive to listen only on loopback. Also, the
STT_BADPKTVERSION reply includes empty MD5 auth data for compatibility
with older clients, so the amplification factor with NULL reply can
reach 1.5.

I think the NULL reply with STT_NOHOSTACCESS status isn't useful
enough to keep chronyd replying to any host. Even when the protocol is
fixed to not allow any amplification, this looks like something that
the administrator would need to be aware of and block it in firewall
if necessary.

I'd like to deprecate it and ignore packets from hosts not allowed by
cmdallow completely. It would be identical to the allow command and
NTP packets. The only difference for chronyc would be that it would
timeout after 7 seconds with "506 Cannot talk to daemon" instead of
printing "510 No command access from this host" when the host is not
allowed.

I'll send the patches for review shortly.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

References:
- [chrony-dev] Re: [chrony-users] Run chrony without acting as a NTP server
  - From: Bill Unruh
- [chrony-dev] Traffic amplification with chrony commands
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-dev] [PATCH 4/4] Send cmdmon error replies only to allowed hosts
Next by Date: [chrony-dev] [GIT] chrony/chrony.git branch, 1.29-security, created. 1.29-5-gc4e6183
Previous by thread: Re: [chrony-dev] Traffic amplification with chrony commands
Next by thread: [chrony-dev] GCC issue

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/