[chrony-users] RE: Can we deny non-NTS client?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


> Do you mean that the dedicated NTS time source needs to reject non-NTS requests to avoid DDoS attacks?

Yes.

> it seems that a special judgment logic is required,

I think so.
Dedicated NTS time source should check cookie of the server (NTS Extension Fields of NTP packet) exists and is correct.

As you wrote, ratelimit and ntsratelimit parameters can reduce damage of DDoS attacks. Thank you.

> However, the community seems to be investing in NTP5 Python development and may not have time.

I understand.
I hope the community kindly consider preventing DDoS attacks when the community have time.

Best Regards,

-----Original Message-----
From: chengyechun <chengyechun1@xxxxxxxxxx> 
Sent: Tuesday, December 20, 2022 8:47 PM
To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] 答复: Can we deny non-NTS client?

Do you mean that the dedicated NTS time source needs to reject non-NTS requests to avoid DDoS attacks?
If so, it seems that a special judgment logic is required, because according to the existing logic, the server only determines whether NTS authentication has been performed with the client based on the saved cookie.
According to the captured packets, after NTS authentication, the communication between the server and client is still UDP.
Therefore, whether authentication is available can only be viewed from the cookie of the server, which is unnecessary on non-NTS servers.
The ratelimit parameter can be used to limit the rate at which the server responds to NTP data packets, and the ntsratelimit parameter can be used to limit the rate of NTS requests. This should also prevent some DDoS attacks, but server resources may be wasted.
If you want to prevent DDoS attacks, two-way authentication seems to be a good choice. However, the community seems to be investing in NTP5 Python development and may not have time.
-----邮件原件-----
发件人: Akihiko.Izumi@xxxxxxxx [mailto:Akihiko.Izumi@xxxxxxxx] 
发送时间: 2022年12月20日 19:14
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: [chrony-users] RE: Can we deny non-NTS client?

> The existing configuration parameters should not contain the field for rejecting clients that do not support the NTS function. 

Thank you, I understand.

> To prevent attacks, you can limit the IP address or ntsratelimit.

I consider public NTS servers which serve to any NTP client.
I afraid NTS servers are abused for DDoS amplification.

Regarding RFC8915, "8.4 Avoiding DDoS Amplification", 

  NTS is designed to avoid contributing any further to this problem ...

So, I think NTS server should be able to reject non-NTS NTP request to avoid DDoS amplification.

Best Regards,
A.Izumi

-----Original Message-----
From: chengyechun <chengyechun1@xxxxxxxxxx> 
Sent: Monday, December 19, 2022 9:07 PM
To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] 答复: Can we deny non-NTS client?

NTS is applicable to server identity authentication. The existing configuration parameters should not contain the field for rejecting clients that do not support the NTS function. To prevent attacks, you can limit the IP address or ntsratelimit.

-----邮件原件-----
发件人: Akihiko.Izumi@xxxxxxxx [mailto:Akihiko.Izumi@xxxxxxxx] 
发送时间: 2022年12月19日 20:00
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: [chrony-users] Can we deny non-NTS client?

Hello,

When we run Chrony as public NTP server, is it possible to deny NTP clients which do not support NTS?
If it possible, I would like to know how to setup so.

A public NTP server which accept both normal(non-NTS) NTP request and NTS request may suffer attacks both to normal NTP servers and to NTS-KE servers.
To reduce vulunerablity, I would like to set up NTS servers which do not accept non-NTS NTP requests.

Best Regards,
A.Izumi

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


韬{.n?壏灆ēr锜+瑉?z珵沧!畨蚨靇jhナ娻?a簕.n?壏豝叉銀薊⒏^枟)\喓'孰蕺绗等k跉)r⒏0娯azZb炟^叉銀薙畫洉?j)e娝fj薧k跉)r⒏
��칻�&�zf���k�|�����z�\��'�۱}���*+����칻�&ފ{az˛��-��zZ^���r�+�z�+z����!����_jh�ʊ��+a��i�{az˛��-N�.nW�����+-��-z�!����_jh�ʊ
��칻�&�zf���k�|�����z�\��'�۱}���*+����칻�&ފ{az˛��-��zZ^���r�+�z�+z����!����_jh�ʊ��+a��i�{az˛��-N�.nW�����+-��-z�!����_jh�ʊ


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/