Closed fiestajetsam closed 1 year ago
For context, ntpdremoved the ntpd mode 7 monlist code entirely in 4.2.7p26 released in April 2010. That made it into the ntp-stable release 4.2.8 in December 2014. The ntpsec fork was after that. Also, in November 2011 4.2.7p230 disabled all mode 7 responses by ntpd by default, introducing a ntp.conf "enable mode7" override.
Even with the various bundled ntpd versions shipping for some time after those changes, it's been years since private mode has been a source of amplification. I don't think it is a good example of why NTPv5 needs to do things differently. Other mode 6 & mode 7 interactions are mild amplilfiers, but there are juicier targets to leverage.
@hart-NTP Which juicier targets are you thinking of specifically?
Open DNS resolvers. There are so many to choose from, public and private. I'm guessing the big public resolvers have some mitigations to prevent sending too much via UDP to a single IP, but many ISPs have open resolvers as well.
Miroslav writes:
NTPv4 has previously suffered from DDoS amplification attacks using a combination of IP address spoofing and private mode commands used in many NTP implementations,
I suggest replacing "many" with "some". AFAIK only the ntp.org ntpd and its fork ntpsec have this issue.
Ulrich write:
This could be reworded a little bit better.