From owner-freebsd-bugs@FreeBSD.ORG Fri Dec 27 13:40:00 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3CE3C7A for ; Fri, 27 Dec 2013 13:40:00 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7D70A10B5 for ; Fri, 27 Dec 2013 13:40:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rBRDe0Lf035818 for ; Fri, 27 Dec 2013 13:40:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rBRDe0tX035817; Fri, 27 Dec 2013 13:40:00 GMT (envelope-from gnats) Resent-Date: Fri, 27 Dec 2013 13:40:00 GMT Resent-Message-Id: <201312271340.rBRDe0tX035817@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Florian Ermisch Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D515EA7B for ; Fri, 27 Dec 2013 13:35:51 +0000 (UTC) Received: from oldred.freebsd.org (oldred.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B5438107E for ; Fri, 27 Dec 2013 13:35:51 +0000 (UTC) Received: from oldred.freebsd.org ([127.0.1.6]) by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id rBRDZoVa046907 for ; Fri, 27 Dec 2013 13:35:50 GMT (envelope-from nobody@oldred.freebsd.org) Received: (from nobody@localhost) by oldred.freebsd.org (8.14.5/8.14.5/Submit) id rBRDZoUK046906; Fri, 27 Dec 2013 13:35:50 GMT (envelope-from nobody) Message-Id: <201312271335.rBRDZoUK046906@oldred.freebsd.org> Date: Fri, 27 Dec 2013 13:35:50 GMT From: Florian Ermisch To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: conf/185229: ntpd with default /etc/ntp.conf can be used for NTP Reflection Attacks X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 13:40:00 -0000 >Number: 185229 >Category: conf >Synopsis: ntpd with default /etc/ntp.conf can be used for NTP Reflection Attacks >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Dec 27 13:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Florian Ermisch >Release: 9.2-RELEASE >Organization: >Environment: FreeBSD $HOSTNAME 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013 root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 >Description: I've received an abuse report about a VM of mine participating in a NTP Reflection Attack (and being disabled by the provider). The VM was running FreeBSD 9.2 amd64 (fresh installation) and I enabled ntpd to have the system time synchronized for security/pam_google_authenticator a week ago. I didn't change the default /etc/ntp.conf, though. >From the abuse report my provider forwarded to me: Public NTP server used for an attack: 5.45.xxx.xxx You are running a public NTP server that participated a very large-scale attack against a customer of ours today, generating UDP responses to spoofed requests with bogus timestamps that claimed to be from the attack target. Your server was particularly active in the attack, sending a significant portion of the attack traffic we saw. Please consider reconfiguring your NTP server in one or more of these ways: - Set your NTP installation to act as a client only. With ntpd, that can be done with \"restrict default ignore\" in /etc/ntp.conf; other servers should have a similar configuration option. A firewall rule to block UDP to the public IP address on port 123 would also work for this. More information can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html - Adjust your firewall or NTP server configuration so that it only serves your customers and does not respond to outside IP addresses - Rate-limit responses to individual source IP addresses, silently discarding those that exceed a low number, such as one request per IP address per second - Limit queries to TCP-only - Ignore particularly unlikely queries, such as those representing dates far in the future or past - Limit the size of allowed responses; today\'s were 440 bytes, which were very large [...] >How-To-Repeat: - Install FreeBSD 9.2 on a system with public IP (and no firewall blocking 123/udp between the system and the public internet) - Enable ntpd without changing the default /etc/ntp.conf >Fix: Add "restrict" statements like the following to the default /etc/ntp.conf on FreeBSD so the system cannot be used in a NTP Reflection Attack: # by default act only as a basic NTP client restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap # allow NTP messages from the loopback address, useful for debugging restrict 127.0.0.1 restrict ::1 (from https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html) Most systems are only NTP-clients and if the operator wants to run a NTP-server the ntp.conf will probably be tweaked anyway. >Release-Note: >Audit-Trail: >Unformatted: