Maximum reply size? Megabytes?

It has been claimed that NTPd can send responses that are several MEGABYTES.

To the best of my knowledge, #define MAXMONMEM 600 In the source means that monlist can return no more than 600 entries. Therefore the maximum monlist reply would be several kilobytes. Does anyone know of any ntp reply that can be several megabytes?

monlist might be limited to 600, but mrulist most definitely isn’t…

Feel free to run ntpq -c mrulist on your machine and prepare to sit and wait… I stopped mine that got to over 65,000 entries while I was typing this reply…

Though mrulist requires a nonce to prevent spoofing.

Why for you ask?

I ask because of what you had hinted at, spoofing. A professor at a well-known university that teaches network security states that one can do an amplification attack by spoofing and getting replies that are several megabytes. I’ve requested more info; haven’t received a reply.

He’s probably talking about monlist. That was the big NTP amplification attack back in the day, if there was anything new I would have expected it to have been published / fixed.

Hackers are most of the time ahead of the security squad :wink:

Yeah but this is a college professor… Academia wouldn’t hold something like that back.

there are a lot of old manuals for configuring ntp on the internet. And there are no guidelines for setting up servers specially for the pool/highload. How many servers you should use and what servers are good? Do you need monlist enabled? Some server owners may use the monlist, others may not. There is no configuration consistency and many controversial issues.

Hi, there are some guidelines on this page and the linked “configuration recommendations” page: https://www.ntppool.org/en/join.html

Good luck doing that with NTP as it’s not TCP but UDP.
Such things happened in the past with DNS, HTTP en Proxy-servers etc.
But today those servers are protected in code to prevent that.

It’s far easier to mass-mail Windows users that click on anything and install a bot/virus on their machines.

I have not seen any type of this attach that happened on Linux machines for a long time.

Networks do not need much security, it’s the clown behind the screen that is often the problem :slight_smile:

You may have forgotten the NTP monlist attack from some years back. For every UDP packet an NTP server received, the ntpd daemon sent back upto 600 UDP packets.

2 Likes

Hi Lammert,

I know, but Linux machines fix those problems quickly.

KOD and LIMITED have solved that.

It worked a few times, but today? I haven’t seen them unless poor configuration.