Date: Fri, 27 Dec 2013 13:35:50 GMT From: Florian Ermisch <florian.ermisch@alumni.tu-berlin.de> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/185229: ntpd with default /etc/ntp.conf can be used for NTP Reflection Attacks Message-ID: <201312271335.rBRDZoUK046906@oldred.freebsd.org> Resent-Message-ID: <201312271340.rBRDe0tX035817@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 185229 >Category: conf >Synopsis: ntpd with default /etc/ntp.conf can be used for NTP Reflection Attacks >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Dec 27 13:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Florian Ermisch >Release: 9.2-RELEASE >Organization: >Environment: FreeBSD $HOSTNAME 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013 root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 >Description: I've received an abuse report about a VM of mine participating in a NTP Reflection Attack (and being disabled by the provider). The VM was running FreeBSD 9.2 amd64 (fresh installation) and I enabled ntpd to have the system time synchronized for security/pam_google_authenticator a week ago. I didn't change the default /etc/ntp.conf, though. >From the abuse report my provider forwarded to me: Public NTP server used for an attack: 5.45.xxx.xxx You are running a public NTP server that participated a very large-scale attack against a customer of ours today, generating UDP responses to spoofed requests with bogus timestamps that claimed to be from the attack target. Your server was particularly active in the attack, sending a significant portion of the attack traffic we saw. Please consider reconfiguring your NTP server in one or more of these ways: - Set your NTP installation to act as a client only. With ntpd, that can be done with \"restrict default ignore\" in /etc/ntp.conf; other servers should have a similar configuration option. A firewall rule to block UDP to the public IP address on port 123 would also work for this. More information can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html - Adjust your firewall or NTP server configuration so that it only serves your customers and does not respond to outside IP addresses - Rate-limit responses to individual source IP addresses, silently discarding those that exceed a low number, such as one request per IP address per second - Limit queries to TCP-only - Ignore particularly unlikely queries, such as those representing dates far in the future or past - Limit the size of allowed responses; today\'s were 440 bytes, which were very large [...] >How-To-Repeat: - Install FreeBSD 9.2 on a system with public IP (and no firewall blocking 123/udp between the system and the public internet) - Enable ntpd without changing the default /etc/ntp.conf >Fix: Add "restrict" statements like the following to the default /etc/ntp.conf on FreeBSD so the system cannot be used in a NTP Reflection Attack: # by default act only as a basic NTP client restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap # allow NTP messages from the loopback address, useful for debugging restrict 127.0.0.1 restrict ::1 (from https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html) Most systems are only NTP-clients and if the operator wants to run a NTP-server the ntp.conf will probably be tweaked anyway. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201312271335.rBRDZoUK046906>