Re: [chrony-users] prevent amplification attack

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Thu, Dec 09, 2021 at 07:14:57PM +0100, Adrian Zaugg wrote:
> Hi there
> 
> My network is monitored by shadowserver.org and it reports for my chrony 
> instance, that it may be used in amplification attacks because it responded to 
> "ntp mode 6 query READVAR". [1] 
> 
> They suggest to test with 
> 	ntpq -c rv <my ntp server's ip>

> How can I properly test whether it is true what shadowserver.org claims and 

That command is ok. I'd suspect a bug in their monitoring tools.

I had a similar case, when OVH was claiming a public server was
involved in NTP amplification attack and their packet capture showed
just normal client/mode NTP traffic.

> how can I prevent chronyd to not answering such queries, if it did?

chronyd doesn't support the NTP mode 6 or 7. It never did. There is no
unsecure configuration wrt amplification. It also has an extra check
to make sure it doesn't send a response larger than the request in
case there was a bug adding an unexpected extension field, etc.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.