RE: [chrony-users] RE: Can we deny non-NTS client?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: "chrony-users@xxxxxxxxxxxxxxxxxxxx" <chrony-users@xxxxxxxxxxxxxxxxxxxx>
Subject: RE: [chrony-users] RE: Can we deny non-NTS client?
From: "Akihiko.Izumi@xxxxxxxx" <Akihiko.Izumi@xxxxxxxx>
Date: Mon, 9 Jan 2023 12:15:23 +0000
Accept-language: ja-JP, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sony.com; dmarc=pass action=none header.from=sony.com; dkim=pass header.d=sony.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tKxvXkd31UPRo9gTEKz7JYPZwEcpzEg+HT3mAxD9J9I=; b=Po0qHKvWHs752WOtIuKrmxWkU2SwRfIe4VBGNN3RNskXV/WOocfvvXL2HKWKO6i4p+r+PwEx01MVi/5rSz07kcQGnv9LK3BO1RqcYoPPYTLObQL1MPqT+VqkM/Pu/PF4GQPuZJQNIfm5pH5dm/f3xGAJ1NddZfgPTtt5ZrEyd51muRWiY4kQ96fUdPZPoSKCSEhed98nKoz1Z4AiYsB7ZUIs+KKbGSfB+Tf2awa3CXTuOsuqAmTyvTUN5V+egOph0hAAb3Tc03Rv4OPvA7qDvd94S/+eRvsb46OrZvXXMNIcYtvrspAdy10aqGLWWqnhvdm7IyPO419Pvczeq6d42w==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QGJcLkypQ8SDxBLOdo/4XwHFI4CBHT7pot0bDAMqdgVm90aYpm5YGYpOBE6CyrzddoAr6INo6xLqsQW0KN3vL7jR7m/JVWV+GuqKffza53mh8+3/J89Ycgrr0Xmxc4bqG8CCsfKq71dev7+IEoLzRQ976/qgyJzm6u6IW48cMPJWySTHl4dsuCTnvFEzt4ModIq95FVhPtcNqHckUVG8hYl/yZZtymAgE/sjt2vRDT1Ovpf8f9ImWhc8k/xXZACrxsQ2FzooB+ngFSvBhToCJfwzc3npaDSB2x/kZwxc7Yn/HgypLcvuUjcDjDRfoHzZrnuhZggUXD8Hu6jif8DdTQ==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sony.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=S1; bh=tKxvXkd31UPRo9gTEKz7JYPZwEcpzEg+HT3mAxD9J9I=; b=K98R1d+cghg2e0VjCvaH8fqDDtrzIJkBDplTflVXiSJfW5s9y5x927vR5qpnB584uApM lhlVCQefvd42Dxy9p9kzqNDq2BoTchuLg1jkL7V8pcEkVibgkJMk0jZoYS5ZRjF2L4I0 kUafJ3bw2Cb8IBMMEKZ8Csat6ZPiZY9xQu6pACkN3BZ867eVbQDpH56+vHunfeoBsxCl 0+N17rQnV4gkASTw50tzycdFsOsX6zvf9YZhBY419thcXQSiZ94a8b+29zbX4roLcuuh UOXlbCIP3gezu5KJYpgD5tDEFa21/jKQi6Wj9cbD5ikUtgda9zJE+S+CUpX9OKXNXep4 mg==
Thread-index: AdkToT3TsRUSiNm2TZKwhNLLOQ9yigAASOTQADBde6ACiyUrAAFkJ10w
Thread-topic: [chrony-users] RE: Can we deny non-NTS client?

> chrony does not implement any modes that could amplify NTP traffic

Thank you.
But I afraid NTP server is vulnerable to spoofed source IP address of NTP client, it may participate DDoS attacks even though chrony does not amplify NTP traffic (amplification factor is small).

> If the NTP server didn't respond to unauthenticated NTP requests, it couldn't respond with NTS NAK to indicate the client it has expired cookies.

I understand.
I think it is a trade-off between spoofed source IP address and expired cookies.
I hope administrator of the NTP server can select which of them.

Best Regards,

-----Original Message-----
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx> 
Sent: Monday, January 2, 2023 6:56 PM
To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] RE: Can we deny non-NTS client?

On Tue, Dec 20, 2022 at 11:14:04AM +0000, Akihiko.Izumi@xxxxxxxx wrote:
> I consider public NTS servers which serve to any NTP client.
> I afraid NTS servers are abused for DDoS amplification.

chrony does not implement any modes that could amplify NTP traffic, like the ntpd mode 6, mode 7, or Autokey. No matter how it is configured, it won't amplify plain NTP, NTP protected by symmetric key, nor NTS-protected-NTP traffic. Even if there was a bug causing a longer response to be generated, it would not be sent as there is an additional check made before transmission comparing the length of the request and response.

If someone is claiming your chrony server is amplifying, they are wrong. I run a number of public servers and occasionally I get abuse reports claiming amplification, but their logs, when they actually have some, don't show it. They are just misinterpreting a busy NTP server as a DDoS attack.

> Regarding RFC8915, "8.4 Avoiding DDoS Amplification",
> 
>   NTS is designed to avoid contributing any further to this problem ...
> 
> So, I think NTS server should be able to reject non-NTS NTP request to avoid DDoS amplification.

If the NTP server didn't respond to unauthenticated NTP requests, it couldn't respond with NTS NAK to indicate the client it has expired cookies. This would slow down synchronization of NTS clients after being turned off/suspended for a longer periods of time.

--
Miroslav Lichvar

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

References:
- Re: [chrony-users] RE: Can we deny non-NTS client?
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] RE: Chrony is making NTP Server offline on the system boot
Next by Date: RE: [chrony-users] RE: Chrony is making NTP Server offline on the system boot
Previous by thread: Re: [chrony-users] RE: Can we deny non-NTS client?
Next by thread: RE: [chrony-users] RE: Can we deny non-NTS client?

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/