From owner-freebsd-security@FreeBSD.ORG Fri Mar 21 11:08:45 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 38EF1D63 for ; Fri, 21 Mar 2014 11:08:45 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [78.47.69.234]) by mx1.freebsd.org (Postfix) with ESMTP id B4223A5E for ; Fri, 21 Mar 2014 11:08:44 +0000 (UTC) Received: from [IPv6:2001:470:d701::807:3495:fd4c:6be8] (unknown [IPv6:2001:470:d701:0:807:3495:fd4c:6be8]) by mail.jr-hosting.nl (Postfix) with ESMTPSA id A76FD3F4A0; Fri, 21 Mar 2014 12:08:42 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_20AE229B-882B-44AF-BA93-4919477E8D81"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: NTP security hole CVE-2013-5211? From: Remko Lodder In-Reply-To: Date: Fri, 21 Mar 2014 12:08:40 +0100 Message-Id: References: <201403210421.WAA05406@mail.lariat.net> , <201403210444.WAA05541@mail.lariat.net> To: "Info / RIT.lt" X-Mailer: Apple Mail (2.1874) Cc: "freebsd-security@freebsd.org" , Micheas Herman X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 11:08:45 -0000 --Apple-Mail=_20AE229B-882B-44AF-BA93-4919477E8D81 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 21 Mar 2014, at 11:41, Info / RIT.lt wrote: > Dear FreeBSD users, my first experience with FreeBSD was 14 years ago, = but due to hardware problems I chose Linux. After working with Linux for = 14 years, I decided to give a shot to FreeBSD again. After setting up = FreeBSD server with jails, I became a victim of DDoS which was launched = from my dedicated server, investigation led to NTP server, this = misconfiguration left with default settings shocked me, please fix this = configuration bug. >=20 > Firewall is for filtering traffic, but not for hiding buggy configs. >=20 > Regards, > Mindaugas Bubelis I kept silent so far, but this lets me frown a bit. We all know that there are people on the internet that try to hurt our = businesses, 24*7*365. All unprotected networks and hosts are targeted, 24*7*365. It is -very- common practise to setup a security perimeter, to only = allow traffic you want to have to your machine(s) and only let out traffic you want from your machine(s). I worked for = large scale ISP=92s, and we all did the same. Reading the mails from this thread leads me to believe that there is no = stateful firewall concept in place? Only allow the network you want to your NTP server(s) and deny the = others. Only let our your NTP server=92s to the internet to retrieve the date. Do that statefully and only traffic you send out should come back with = the last line mentioned, it is hard from the internet seen to hijack such a session and fool the firewall from letting the packet = back in to your NTP server. In my believing it is so that if you do not filter traffic, you are = making a deliberate choice to let everyone smack your service(s). That is not a problem but you also need to modify your configuration(s) = to make sure it is as safe as it gets. We (FreeBSD) updated the ntpd.conf file that is shipped as a Security Patch so that users = running our update facilities have that in place. However since people also change their configurations on their own or do not use that, = they need to be aware that they need to update the rules as well! We do not want to enforce our configuration changes to users who = might have a good reason for having an alternative setup! The only thing I saw from Brett that might need investigation is the = additional 'disable monitor=92, though would that break people=92s setup ? are people using that on purpose for some reason? Then we cannot = enforce it, just advice that this might be an solution to prevent issues. In my understanding and believing, stateful firewalling your networks is = the best option, making sure that only your own machines or a selected set of machines can access NTP resources on your network = (or the internet, whatever you prefer) and that traffic leaving your borders can only return if the firewall sees that you setup = the communication in the first place. In the above case: did you install the FreeBSD-release and never = updated? Then that is something -you- should have done. Installing something via delivered media is always out of date and needs to be = updated before first use. Thank you. Remko > ________________________________________ > From: owner-freebsd-security@freebsd.org = on behalf of Brett Glass = > Sent: Friday, March 21, 2014 6:44 AM > To: Micheas Herman; freebsd-security@freebsd.org > Subject: Re: NTP security hole CVE-2013-5211? >=20 > At 10:38 PM 3/20/2014, Micheas Herman wrote: >=20 >> While true, that does mean that amplification attacks are limited to = being >> able to attack those ten machines. >=20 > The amplifier/relay is also a victim, and can be completely disabled = by the attack > if its link to the Net becomes saturated. >=20 > --Brett Glass >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_20AE229B-882B-44AF-BA93-4919477E8D81 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTLB24AAoJEKjD27JZ84ywn1QP/1S8TeNgFM/WUKAtMVhcO7ij f6U4Dch4fEW+Z5xj9vWqL2rQ7spACWXDYGYa5EtdNMWNBUOtDAoqHPp6jkZdg9wq i5ZMj5N6NAKRt2lP48fzHqjNW8OM7ZHShzb+7azwZvoILBNXnS+l1iRljz7/+xL/ 4vGaj07H+Cbd8kh2A69BvXEmnDq7GKEPl1DDUe3L/LK1QckXIbe759Q+5Fq5/lC/ PdNqUOfseMNKAeZ4KVYqdoWPtCBQDy6Jt9x+m/8yfq3IOkAZp9AtGb1VPpiMcCEn yrwis/H6XGB0AlYt9VyXoQSFRHVN5V1q/SOWzPwaQ28xzHkZ5gV5uzPj9xMu8BQc kxJxDQ6T2Md3nUug/pW9YMMz7uJT0Lsaw2hjsko5r1dUzfGY7QZKciP5Hyix7FGS nK7W99GhTWzGqCVkdx0q+Yf6a8xMT8sUEk+IoOU55RJ3zyhrJgAtl1Zv/3IfJE+i GRV5RzH37aHyk6TjuJk5T2mYckqdKFvNRdaY5CV+l9tEogVKo6z6aW9g8tTYJRkk DeHd1jZpVKhjFiwg6epIeh4GW3ijK+Rp/vyGm6i/OheG62j3Y+Kuus87OMb3+7m9 cKwhfzbKNMVjmWKOprKYP47Wi+BZmqvr2e+A96iWxSFIjV17w59VcrYNGxVrDIFe l3EiqWYCuA0Iz6YHob4E =2fay -----END PGP SIGNATURE----- --Apple-Mail=_20AE229B-882B-44AF-BA93-4919477E8D81--