Date: Tue, 18 Mar 2014 07:41:16 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <5327F89C.60606@FreeBSD.org> In-Reply-To: <29310.1395114987@server1.tristatelogic.com> References: <29310.1395114987@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 18/03/2014 03:56, Ronald F. Guilmette wrote: > (It was explained to me at the time that NTP operates a bit like DNS...= > with which I am more familiar... i.e. that all outbound requests origin= ate > on high numbered ports, well and truly away from all low numbered ports= , > including, in particular, 123. I am just re-verifying that my understa= nding > in this regard is correct, and that my current blanket firewall rule is= > fine as it stands.) It's not uncommon for NTP to have both source and destination ports set to 123. This was the standard some years back, but such things as NAT always meant that couldn't be relied on. I don't know if this is still seen as a normal practice, but all the NTP related entries sockstat shows me are bound to port 123 on the local side. Unlike DNS, I don't think there are any particular security penalties to not using a wide range of UDP source ports for NTP. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTJ/icXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATqTUP/jpOcovOIrK+52MZgjZiBw93 6doxctuJa8pcBR6Hj7x76uO0tOYfzOS95RP3SWnEGpmsYJ7HDV6inMQSKc/RmmQA 4Gxs0/HRfE3bZ1DLfWUH7fZQZAVDgl/a7rn5cgr+kXfM27Qdekn5VFiAkT3ALthU mjIcMSVEN2z0SPjIu9gp50lTcGiIlHfneyc74Fia2xUvOYjwv8inqiYm6V6h8AKu dyquDrQdAAsg9bmjhuMZyMhwaZaSlIe7LpVFN17eCT9wbb46QEnR1IKbbxG4LWqH H6NYFiHzy8EK7DTAbYFbynVfK+nPT15gLwDlJEq0TkjwYmjhqFsy7FW5oMBhq9f0 jLKOuU3NAw/tRgZAUuPohJr98WQcvA1DdI0i3GgYYCr64QvJqg/dgChb+B/7eEiQ YkhciLBmgwNP/hI5RtTTmo78XIG28lXgDrHKu+5qdhdJt/v8zoR6c3ML4selfz5A kR4Z8xEEtnSSVQSdXwFBuKbC8skdWk9Il0+jeImduxuOzR8PiaAGbPWVmHygabQt MmlMSHwYiDZ6Wh+7Ua8kgwmpWuabMLaoLN3sUPHku8L9JD1qbLAsiWLUFyAgGHXF nprLPPPCZSmRf+CuMZE8lewM16rtvMeTTzT8yzNeguzoWy8m5uN9LwcXdg2JaFuq ejgaH41VwCvd9HpQzQt9 =VNFS -----END PGP SIGNATURE----- --nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5327F89C.60606>