ntpq mrulist, #547

Hal Murray hmurray at megapathdsl.net
Tue Oct 8 19:50:29 UTC 2019

> Another quirk.

I just blundered into a variation on raw mode breaking mru

ntpq> debug 2
debug level is 2
ntpq> mru
Ctrl-C will stop MRU retrieval and display partial results.
sendrequest: opcode=12, associd=0, qdata=
2019-10-08T19:35:20.8144388Z Fragment collection begins
2019-10-08T19:35:20.814789Z Fragment collection ends. 32 bytes  in 1 fragments
Command `mrulist' is unknown

debug 1 works


An addition to the message describing mrulist that started this thread.

Things like mrulist that return lots of data can be used for DDoS attacks.  
(DNS has similar problems.)  The older version, monlist, was used for at least 
one major DDoS attack.

The mrulist handshake avoids that by requiring a cookie.  There is an extra 
pair of packets at the start of the mrulist operations to get that cookie.  
The cookie proves that the request came from the target system rather than the 
return address in a forged request.

That cookie has a lifetime.  I don't know how/when it gets refreshed.

These are my opinions.  I hate spam.

More information about the devel mailing list