Date: Sat, 15 Mar 2014 12:32:37 -0600 From: Brett Glass <brett@lariat.org> To: d@delphij.net, d@delphij.net, Fabian Wenk <fabian@wenks.ch>, freebsd-security@freebsd.org Cc: Ollivier Robert <roberto@freebsd.org>, hackers@lists.ntp.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <201403151833.MAA04912@mail.lariat.net> In-Reply-To: <53248B48.5040108@delphij.net> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> <201403141700.LAA21140@mail.lariat.net> <5323AF47.9080107@delphij.net> <201403150343.VAA27172@mail.lariat.net> <5323E670.5020905@delphij.net> <201403150931.DAA29130@mail.lariat.net> <53248B48.5040108@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:18 AM 3/15/2014, Xin Li wrote: >Either it wouldn't or my test was wrong. My test was 'ntpdc -c >monlist' and tcpdump. My test was to actually expose the server to the attack I was experiencing. Note that these packets might not have been exactly the same ones that are sent by ntpdc. For every packet it received, the server sent a rejection to the source IP, which was spoofed. The relaying stopped when I added the lines I mentioned in my previous message to the configuration file. It is good practice to have those lines in the file anyway, to provide effective access control. If one does not intend to be running a public NTP server, the server should not be open to the world; in fact, it should probably be behind a stateful firewall that does not accept packets destined for UDP port 123 from the Internet at large unless they are known to be responses to queries. I've implemented this in the IPFW rules of all of my servers. --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403151833.MAA04912>