Re: [chrony-users] prevent amplification attack

[ Thread Index | Date Index | More Archives ]

On Thu, Dec 09, 2021 at 07:14:57PM +0100, Adrian Zaugg wrote:
> Hi there
> My network is monitored by and it reports for my chrony 
> instance, that it may be used in amplification attacks because it responded to 
> "ntp mode 6 query READVAR". [1] 
> They suggest to test with 
> 	ntpq -c rv <my ntp server's ip>

> How can I properly test whether it is true what claims and 

That command is ok. I'd suspect a bug in their monitoring tools.

I had a similar case, when OVH was claiming a public server was
involved in NTP amplification attack and their packet capture showed
just normal client/mode NTP traffic.

> how can I prevent chronyd to not answering such queries, if it did?

chronyd doesn't support the NTP mode 6 or 7. It never did. There is no
unsecure configuration wrt amplification. It also has an extra check
to make sure it doesn't send a response larger than the request in
case there was a bug adding an unexpected extension field, etc.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+