Long range thoughts

Hal Murray hmurray at megapathdsl.net
Fri Feb 28 22:43:11 UTC 2020


Gary said:
>> There was discussion on the IETF NTP list of having the client
>> use a separate port.  The idea is to make it harder to attack
>> a client only system.  (There may be a draft RFC.)

> That is just handwaving security by obscurity.  No matter what port you put
> something on, nmap can find it trivially. 

It's more complicated than that.  The idea is to use an ephemeral port bound 
to the target address so:
  1) you have to run nmap while the ntp client is expecting an answer
    (after the answer or timeout, the socket goes away)
  2) you have to run nmap on the target server
  3) the client is only expecting answers to its request so mode 6 packets get 
tossed.

I think the reduction in target area is well worth considering.

Even if we don't split up the big blob, that and moving mode 6 to another port 
would allow us to make port 123 strictly server only.  That would simplify a 
lot of code.



-- 
These are my opinions.  I hate spam.





More information about the devel mailing list