Date: Mon, 17 Mar 2014 20:56:27 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <29310.1395114987@server1.tristatelogic.com> In-Reply-To: <5323C244.8050101@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <5323C244.8050101@freebsd.org>, Julian Elischer <julian@freebsd.org> wrote: >the best solution is to add a firewall stateful rule so that the ONLY >port 123 udp packet that gets in is one that is a response to one you >sent out first. Point of order Mr. Chaiman... Two or three weeks ago, I woke up one day and found that (for no immediately obvious reason) I had essentially zero outbound bandwidth... a fact which distressed me greatly. In short order I was able, on my own, to determine that the problem was a relatively large outflow of packets from my server, all originating from UDP port 123. Several kind persons on the freebsd-questions mailing list advised me at that time that I was being used/abused as an NTP attack amplifier, and that the simple and easy solution was to block all inbound (from other than my local network) packets directed at my UDP port 123, which I did, immediately, with a new ipfw rule. The problem then ceased. (The evil perpetrators _do_ seem to be continuing to try to see if my server can be used & abused by them however. But fortunately, now they are going away empty-handed.) So anyway, I just want to be sure that I am clear about one thing. My server is not actually supplying NTP information to any other systems, either on my network or elsewhere. Nobody is "syncing" time with my server. Given that, may I safely assume... as I have been doing... that 100% of the _inbound_ packets directed at my UDP port 123 are in fact nefarious in nature and that they thus can and should all be blocked, e.g. via the one simple ipfw rule that I now have in place? (It was explained to me at the time that NTP operates a bit like DNS... with which I am more familiar... i.e. that all outbound requests originate on high numbered ports, well and truly away from all low numbered ports, including, in particular, 123. I am just re-verifying that my understanding in this regard is correct, and that my current blanket firewall rule is fine as it stands.) Regards, rfg P.S. The brief period of time during which I was being used & abused as an NTP attack reflector was attributable largely if not entirely to my own earlier ignorance of the NTP protocol, and to the mistake in my personal hand-crafted firewall rules which arose from that. I take responsibility for that, and apologize, as I should, to the entire Internet community for my lapse. That all having been said however, I personally do and will support any appropriate adjustments to FreeBSD config files that might in future making it less likely that ignorant people... like me... might in- advertantly hurt themsevles on this particular sharp object.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?29310.1395114987>