Re: [chrony-users] RE: Can we deny non-NTS client?

[ Thread Index | Date Index | More Archives ]

On Tue, Dec 20, 2022 at 11:14:04AM +0000, Akihiko.Izumi@xxxxxxxx wrote:
> I consider public NTS servers which serve to any NTP client.
> I afraid NTS servers are abused for DDoS amplification.

chrony does not implement any modes that could amplify NTP traffic,
like the ntpd mode 6, mode 7, or Autokey. No matter how it is
configured, it won't amplify plain NTP, NTP protected by symmetric
key, nor NTS-protected-NTP traffic. Even if there was a bug causing a
longer response to be generated, it would not be sent as there is an
additional check made before transmission comparing the length of the
request and response.

If someone is claiming your chrony server is amplifying, they are
wrong. I run a number of public servers and occasionally I get abuse
reports claiming amplification, but their logs, when they actually
have some, don't show it. They are just misinterpreting a busy NTP
server as a DDoS attack.

> Regarding RFC8915, "8.4 Avoiding DDoS Amplification", 
>   NTS is designed to avoid contributing any further to this problem ...
> So, I think NTS server should be able to reject non-NTS NTP request to avoid DDoS amplification.

If the NTP server didn't respond to unauthenticated NTP requests, it
couldn't respond with NTS NAK to indicate the client it has expired
cookies. This would slow down synchronization of NTS clients after being
turned off/suspended for a longer periods of time.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+