From owner-freebsd-security@FreeBSD.ORG  Sun Mar 16 07:21:38 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E4FA8177;
 Sun, 16 Mar 2014 07:21:38 +0000 (UTC)
Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222])
 by mx1.freebsd.org (Postfix) with ESMTP id A45F29DD;
 Sun, 16 Mar 2014 07:21:38 +0000 (UTC)
Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3])
 by phk.freebsd.dk (Postfix) with ESMTP id 93C6B3EB45;
 Sun, 16 Mar 2014 07:21:30 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
 by critter.freebsd.dk (8.14.8/8.14.8) with ESMTP id s2G7LTQk034940;
 Sun, 16 Mar 2014 07:21:29 GMT (envelope-from phk@phk.freebsd.dk)
To: Julian Elischer <julian@freebsd.org>
Subject: Re: NTP security hole CVE-2013-5211?
In-reply-to: <5323C244.8050101@freebsd.org>
From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org>
 <52CEAD69.6090000@grosbein.net>
 <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org>
 <52CF82C0.9040708@delphij.net>
 <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com>
 <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch>
 <201403141700.LAA21140@mail.lariat.net> <5323C244.8050101@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Date: Sun, 16 Mar 2014 07:21:28 +0000
Message-ID: <34939.1394954488@critter.freebsd.dk>
Cc: freebsd-security@freebsd.org, Fabian Wenk <fabian@wenks.ch>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 07:21:39 -0000

In message <5323C244.8050101@freebsd.org>, Julian Elischer writes:

>the best solution is to add a firewall stateful rule so that the ONLY 
>port 123 udp packet that gets in is one that is a response to one you 
>sent out first.

And to deny any packet which is too short:

	deny udp from any to any dst-port 123 iplen 0-75

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.