Date: Fri, 21 Mar 2014 12:08:40 +0100 From: Remko Lodder <remko@FreeBSD.org> To: "Info / RIT.lt" <info@rit.lt> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, Micheas Herman <m@micheas.net> Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <AD479A36-993D-442A-AA07-AB52D8198624@FreeBSD.org> In-Reply-To: <bf87380c6cba4318aefb740a2f2ae69e@DBXPR06MB318.eurprd06.prod.outlook.com> References: <201403210421.WAA05406@mail.lariat.net> <CAJw6ijkqBTzcD-WyOQtiU3=R2W8fZjKR=qo5AW9836fOkyNudQ@mail.gmail.com>, <201403210444.WAA05541@mail.lariat.net> <bf87380c6cba4318aefb740a2f2ae69e@DBXPR06MB318.eurprd06.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_20AE229B-882B-44AF-BA93-4919477E8D81 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 21 Mar 2014, at 11:41, Info / RIT.lt <info@rit.lt> wrote: > Dear FreeBSD users, my first experience with FreeBSD was 14 years ago, = but due to hardware problems I chose Linux. After working with Linux for = 14 years, I decided to give a shot to FreeBSD again. After setting up = FreeBSD server with jails, I became a victim of DDoS which was launched = from my dedicated server, investigation led to NTP server, this = misconfiguration left with default settings shocked me, please fix this = configuration bug. >=20 > Firewall is for filtering traffic, but not for hiding buggy configs. >=20 > Regards, > Mindaugas Bubelis I kept silent so far, but this lets me frown a bit. We all know that there are people on the internet that try to hurt our = businesses, 24*7*365. All unprotected networks and hosts are targeted, 24*7*365. It is -very- common practise to setup a security perimeter, to only = allow traffic you want to have to your machine(s) and only let out traffic you want from your machine(s). I worked for = large scale ISP=92s, and we all did the same. Reading the mails from this thread leads me to believe that there is no = stateful firewall concept in place? Only allow the network you want to your NTP server(s) and deny the = others. Only let our your NTP server=92s to the internet to retrieve the date. Do that statefully and only traffic you send out should come back with = the last line mentioned, it is hard from the internet seen to hijack such a session and fool the firewall from letting the packet = back in to your NTP server. In my believing it is so that if you do not filter traffic, you are = making a deliberate choice to let everyone smack your service(s). That is not a problem but you also need to modify your configuration(s) = to make sure it is as safe as it gets. We (FreeBSD) updated the ntpd.conf file that is shipped as a Security Patch so that users = running our update facilities have that in place. However since people also change their configurations on their own or do not use that, = they need to be aware that they need to update the rules as well! We do not want to enforce our configuration changes to users who = might have a good reason for having an alternative setup! The only thing I saw from Brett that might need investigation is the = additional 'disable monitor=92, though would that break people=92s setup ? are people using that on purpose for some reason? Then we cannot = enforce it, just advice that this might be an solution to prevent issues. In my understanding and believing, stateful firewalling your networks is = the best option, making sure that only your own machines or a selected set of machines can access NTP resources on your network = (or the internet, whatever you prefer) and that traffic leaving your borders can only return if the firewall sees that you setup = the communication in the first place. In the above case: did you install the FreeBSD-release and never = updated? Then that is something -you- should have done. Installing something via delivered media is always out of date and needs to be = updated before first use. Thank you. Remko > ________________________________________ > From: owner-freebsd-security@freebsd.org = <owner-freebsd-security@freebsd.org> on behalf of Brett Glass = <brett@lariat.org> > Sent: Friday, March 21, 2014 6:44 AM > To: Micheas Herman; freebsd-security@freebsd.org > Subject: Re: NTP security hole CVE-2013-5211? >=20 > At 10:38 PM 3/20/2014, Micheas Herman wrote: >=20 >> While true, that does mean that amplification attacks are limited to = being >> able to attack those ten machines. >=20 > The amplifier/relay is also a victim, and can be completely disabled = by the attack > if its link to the Net becomes saturated. >=20 > --Brett Glass >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_20AE229B-882B-44AF-BA93-4919477E8D81 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTLB24AAoJEKjD27JZ84ywn1QP/1S8TeNgFM/WUKAtMVhcO7ij f6U4Dch4fEW+Z5xj9vWqL2rQ7spACWXDYGYa5EtdNMWNBUOtDAoqHPp6jkZdg9wq i5ZMj5N6NAKRt2lP48fzHqjNW8OM7ZHShzb+7azwZvoILBNXnS+l1iRljz7/+xL/ 4vGaj07H+Cbd8kh2A69BvXEmnDq7GKEPl1DDUe3L/LK1QckXIbe759Q+5Fq5/lC/ PdNqUOfseMNKAeZ4KVYqdoWPtCBQDy6Jt9x+m/8yfq3IOkAZp9AtGb1VPpiMcCEn yrwis/H6XGB0AlYt9VyXoQSFRHVN5V1q/SOWzPwaQ28xzHkZ5gV5uzPj9xMu8BQc kxJxDQ6T2Md3nUug/pW9YMMz7uJT0Lsaw2hjsko5r1dUzfGY7QZKciP5Hyix7FGS nK7W99GhTWzGqCVkdx0q+Yf6a8xMT8sUEk+IoOU55RJ3zyhrJgAtl1Zv/3IfJE+i GRV5RzH37aHyk6TjuJk5T2mYckqdKFvNRdaY5CV+l9tEogVKo6z6aW9g8tTYJRkk DeHd1jZpVKhjFiwg6epIeh4GW3ijK+Rp/vyGm6i/OheG62j3Y+Kuus87OMb3+7m9 cKwhfzbKNMVjmWKOprKYP47Wi+BZmqvr2e+A96iWxSFIjV17w59VcrYNGxVrDIFe l3EiqWYCuA0Iz6YHob4E =2fay -----END PGP SIGNATURE----- --Apple-Mail=_20AE229B-882B-44AF-BA93-4919477E8D81--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AD479A36-993D-442A-AA07-AB52D8198624>