ntpq mrulist, #547
Hal Murray
hmurray at megapathdsl.net
Tue Oct 8 19:50:29 UTC 2019
> Another quirk.
I just blundered into a variation on raw mode breaking mru
ntpq> debug 2
debug level is 2
ntpq> mru
Ctrl-C will stop MRU retrieval and display partial results.
sendrequest: opcode=12, associd=0, qdata=
2019-10-08T19:35:20.8144388Z Fragment collection begins
2019-10-08T19:35:20.814789Z Fragment collection ends. 32 bytes in 1 fragments
Command `mrulist' is unknown
ntpq>
debug 1 works
----------
An addition to the message describing mrulist that started this thread.
Things like mrulist that return lots of data can be used for DDoS attacks.
(DNS has similar problems.) The older version, monlist, was used for at least
one major DDoS attack.
The mrulist handshake avoids that by requiring a cookie. There is an extra
pair of packets at the start of the mrulist operations to get that cookie.
The cookie proves that the request came from the target system rather than the
return address in a forged request.
That cookie has a lifetime. I don't know how/when it gets refreshed.
--
These are my opinions. I hate spam.
More information about the devel
mailing list