From: Harlan Stenn Date: Sat, 23 Jan 2016 12:54:39 +0000 (+0000) Subject: [Sec 2901] Additional KoD packet checks. HStenn. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cc8ae784d613a983792d99f3589422e8057bff1;p=thirdparty%2Fntp.git [Sec 2901] Additional KoD packet checks. HStenn. bk: 56a3780fR8INkXDPyHYS7AsXrccLQw --- diff --git a/ChangeLog b/ChangeLog index 23f0ad45e..656f42a80 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ --- * [Sec 2901] KoD packets must have non-zero transmit timestamps. HStenn. +* [Sec 2901] Additional KoD packet checks. HStenn. * [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve time. Include passive servers in this check. HStenn. * [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index 02efb18b3..43a47af31 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -1451,6 +1451,58 @@ receive( return; } + /* + * Basic KoD validation checking: + * + * KoD packets are a mixed-blessing. Forged KoD packets + * are DoS attacks. There are rare situations where we might + * get a valid KoD response, though. Since KoD packets are + * a special case that can easily complicate the checks we do + * next, we handle the special KoD cases here. + * + * Note that we expect the incoming KoD packet to have its + * (nonzero) org, rec, and xmt timestamps set to the xmt timestamp + * that we have previously sent out. Watch interleave mode. + */ + } else if (0 == hisstratum) { + if ( L_ISZERO(&p_xmt) + || L_ISZERO(&p_org) + || L_ISZERO(&p_rec)) { + peer->bogusorg++; + msyslog(LOG_INFO, + "receive: KoD packet from %s has a zero xmt, org, or rec timestamp. Ignoring.", + ntoa(&peer->srcadr)); + return; + } + + if ( !L_ISEQU(&p_xmt, &p_org) + || !L_ISEQU(&p_xmt, &p_rec)) { + peer->bogusorg++; + msyslog(LOG_INFO, + "receive: KoD packet from %s has inconsistent xmt/org/rec timestamps. Ignoring.", + ntoa(&peer->srcadr)); + return; + } + + /* Be conservative */ + if (peer->flip == 0 && !L_ISEQU(&p_org, &peer->aorg)) { + peer->bogusorg++; + msyslog(LOG_INFO, + "receive: Unexpected KoD origin timestamp %#010x.%08x from %s does not match %#010x.%08x", + p_org.l_ui, p_org.l_uf, + ntoa(&peer->srcadr), + peer->aorg.l_ui, peer->aorg.l_uf); + return; + } else if (peer->flip == 1 && !L_ISEQU(&p_org, &peer->borg)) { + peer->bogusorg++; + msyslog(LOG_INFO, + "receive: Unexpected KoD origin timestamp %#010x.%08x from %s does not match interleave %#010x.%08x", + p_org.l_ui, p_org.l_uf, + ntoa(&peer->srcadr), + peer->borg.l_ui, peer->borg.l_uf); + return; + } + /* * Basic mode checks: * @@ -1470,6 +1522,7 @@ receive( * be from us, attempting to cause our server to KoD us. */ } else if (peer->flip == 0) { + /* HMS: we can simplify this now that we do KoD checks above */ if (0 < hisstratum && L_ISZERO(&p_org)) { L_CLR(&peer->aorg); } else if ( L_ISZERO(&peer->aorg)