| Re: [chrony-users] NTS dropped packets |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] NTS dropped packets
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Tue, 1 Dec 2020 09:53:06 +0100
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606812791; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NAK3yGkOjhc5bat6eeuxaCmTFDO4e092D3rSL0Fv2Nw=; b=COkXWbHZY1SYKqz3wcqxRkuD1vd8GzDmznJXUyWtU9hA4SbLzu9SHgWtRvSaeg1ikdIc4w dR3tLtAdVVMswXevPFRVmL0BKifOf5QKxcDQvoVKlpZJ8/5ZiPxJAORRAXiXY0S/t1sf07 MwdjNsvAHFLj5zR3iVqhdkbVuPpqla8=
On Tue, Dec 01, 2020 at 12:44:10AM -0800, Hal Murray wrote:
>
> > Some major network operators are blocking or rate limiting NTP packets as a
> > mitigation against the ntpd mode-6 amplification attacks. In some networks it
> > specifically applies to longer NTP packets.
>
> What makes this case interesting is that the length test seems backwards.
> Long packets work. After the first 3 requests get dropped, the 4th request
> has 3 extra dummy cookies in the packet. That seems to make it big enough to
> get through.
I think someone made this observation before and there was an
explanation that the filter was trying to catch specific mode-6/7
packets that were exploited in the amplification attacks.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.