From owner-freebsd-security@FreeBSD.ORG Fri Mar 21 21:28:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F12751D8 for ; Fri, 21 Mar 2014 21:28:27 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:141:5ffd::25]) by mx1.freebsd.org (Postfix) with ESMTP id 99A7E395 for ; Fri, 21 Mar 2014 21:28:27 +0000 (UTC) Received: from [IPv6:2001:470:d701::e1fc:8948:56ee:29ea] (unknown [IPv6:2001:470:d701:0:e1fc:8948:56ee:29ea]) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 337793F492; Fri, 21 Mar 2014 22:28:25 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: NTP security hole CVE-2013-5211? From: Remko Lodder In-Reply-To: <51381.1395429637@server1.tristatelogic.com> Date: Fri, 21 Mar 2014 22:28:23 +0100 Message-Id: <8F3083F1-3A20-4FEC-9969-F9968D87569E@FreeBSD.org> References: <51381.1395429637@server1.tristatelogic.com> To: "Ronald F. Guilmette" X-Mailer: Apple Mail (2.1874) Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 21:28:28 -0000 --Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 21 Mar 2014, at 20:20, Ronald F. Guilmette = wrote: >=20 > In message ,=20 > Remko Lodder wrote: >=20 >> Reading the mails from this thread leads me to believe that there is = no >> stateful firewall concept in place? >=20 > I am not the poster to whom you were responding (info@rit.lt), however > speaking only for myself I will confess that yes, in my case at least, > although I have used ipfw for many years, I have never (until now) = found > any compelling need to either understand or make use of any of ipfw's > stateful capabilities. Hi Ronald, That is =91fine=92 ofcourse but makes you vulnerable to the =91crap=92 = that is hitting your doorway now. Rest assured that you are already doing a great step = in at least filtering your machines and as you demonstrate you are active on the internet to get the information you need to do it properly. That is = already way better then a lot of other people. A question that pops my mind: Do you think we (security people) needed = to be more verbose about why this might have been a good idea? or could we = have done a better job in reasoning why stateful has it=92s advantages? >=20 >> In my believing it is so that if you do not filter traffic, you are >> making a deliberate choice to let everyone smack your service(s). >=20 > I personally *do* most certainly filter traffic, and have done, since > I first connected *any* machine of mine to the Internet. I can assure > yoy that I never made any deliberate choice to let everyone smack me > around. Nontheless, that clearly did happen, eventually, when = evil-doers > decided, relatively recently, to use & abuse me as an NTP reflector, = but > my participation in this was not in any sense deliberate on my part, = and > arose strictly out of ignorance, for which I am suitably humbled and > apologetic. Let me offer my apologies, I did not want to make you feel ignorant or = anything. What I meant is that everyone should filter on their machines, or if = possible even ahead of their machines at the gateways. Stopping traffic you do = not want should occur at the border so that it never ever reaches the machines it = is not supposed to reach. People do make a living in =91pestering=92 you and I (and many others) = and now smacking your NTP server(s) is gaining them something, or they wouldn=92t = just do it. My best advice in this case might be that only allowing in the networks = you want to have in on your NTP server (Stateful) prevents people that you = do not want to have their in the first place. Only letting out the traffic you = want (also stateful) prevents bogus replies because they most likely are = caught at the firewall already. Ofcourse the software should be well protected as well, and secteam@ did = his best to offer the best solution possible. Though as mentioned by Brett = for example we just cannot force the update of ntpd.conf on user machines = because every admin could have legitimate reasons for having a configuration in = place they decided to have. It=92s risky to change those things and especially = enforce them on running machines. Most of his ideas were in the advisory already except for the =91disable monitor=92 part, which might be reason to = discuss whether that makes sense or not. Thank you, Remko >=20 >=20 > Regards, > rfg > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTLK73AAoJEKjD27JZ84ywMpcQAKINH2ZhAOthD+12a6acMRG4 5cDfWQb//28/2Brzxx7O7V/VANxW2gkd+FU+nNP8jaE0yQYfWufEPz4u8ZHqgfJy hPDCenASgYUJ189vJBODl7WMJw0vpr0mHnK9LEf9VXAX6Y/KhdL5kYxeHSL3qhOk um72FOqXRry10XttgIIu3aNToNqkV6rbfQp7eHmbsCl/eetN5XDAGnqmr5DKBeLq WUcwqhuzGPpPQtINH7+sQ24PFE8YtRUP7nIVhIXgffIy+iBMP6J4JY2SUIvyRxtk SeaLyMhXHW26e3SRTkC6gHhOgS3BsMeOhmSB7OMG3sLPOBw0m4bw1tVAK35nMMws CqCACV2O3JYr3u9ThlNl7Hke6oCl8P4f3N8LKaWjrH5KLvR6ci9ApLKv2lhFWAzQ eJN5Xr9ghEzqctsIEeKXgeh+tIqMSDTSsmVrIwV3lgK9tLLtTcnOQ+NouC7IdJa+ 5bu8kqfir1/Ih8A9Dh93IKFodzoNGQgN4j0HGtceqWig6BDxopcpycaANYZm/qLw v9xxsWzuuwuaALfJv1Z/I5EEsjn59UaF8AM0jiE4L8piTq70Zc19KLUTA496zX5/ +8q5jQN9yLxfMkXyjrWSZq0lJGGH8/LLMuCvyXZOdnLuiYSVr6O+qz0DlzxSIJ4g SjAbXlt1cFY3V+mxIgvV =nHAw -----END PGP SIGNATURE----- --Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070--