Date: Fri, 14 Mar 2014 21:27:00 +0100 From: Dimitry Andric <dim@FreeBSD.org> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@freebsd.org, Fabian Wenk <fabian@wenks.ch> Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <106CC1B8-932F-44CD-B307-C5B470359ABD@FreeBSD.org> In-Reply-To: <201403141700.LAA21140@mail.lariat.net> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> <201403141700.LAA21140@mail.lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 14 Mar 2014, at 16:38, Brett Glass <brett@lariat.org> wrote: > Two months after this vulnerability was announced, we're still seeing = attempts to use the NTP "monitor" query to execute and amplify DDoS = attacks. Unfortunately, FreeBSD, in its default configuration, will = amplify the attacks if not patched and will still relay them (by sending = "rejection" packets), obfuscating the source of the attack, if the = system is patched using freebsd-update but the default ntp.conf file is = not changed. >=20 > To avoid this, it's necessary to change /etc/ntp.conf to include the = following lines: >=20 > # Stop amplification attacks via NTP servers > disable monitor > restrict default kod nomodify notrap nopeer noquery > restrict 127.0.0.1 > restrict 127.127.1.0 > # Note: Comment out these lines on machines without IPv6 > restrict -6 default kod nomodify notrap nopeer noquery > restrict -6 ::1 >=20 > We've tested this configuration on our servers and it successfully = prevents the latest patches of FreeBSD 9.x and 10.0 from participating = in a DDoS attack, either as a relay or as an amplifier. >=20 > Some of our own systems which were probed prior to the time we secured = them are still receiving a large stream of attack packets, apparently = from a botnet. >=20 > I'd recommend that the lines above be included in the default = /etc/ntp.conf in all future releases, and that all systems that use the = default ntp.conf without modification be patched automatically via = freebsd-update. It looks like you missed = http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc = then? Which was released on Jan 14, and has all the instructions how to = patch your system. It also shows this was fixed for all supported = FreeBSD releases. -Dimitry --Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iEYEARECAAYFAlMjZhwACgkQsF6jCi4glqObRwCg7cZjUNLp401rWUNu6PrVunvu wVEAoOL0+VXdiGWQkIXIWWOipY56b7Vt =Li5p -----END PGP SIGNATURE----- --Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?106CC1B8-932F-44CD-B307-C5B470359ABD>