From owner-freebsd-security@FreeBSD.ORG Thu Jan 16 09:37:48 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CD24C15D for ; Thu, 16 Jan 2014 09:37:48 +0000 (UTC) Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5890C11DC for ; Thu, 16 Jan 2014 09:37:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at home4u.ch Received: from colossus.wenks.ch (fabian@colossus.wenks.ch [IPv6:2001:8a8:1005:4:223:32ff:fe98:2d72]) (authenticated bits=0) by batman.home4u.ch (8.14.5/8.14.5) with ESMTP id s0G9bhQZ094948 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 16 Jan 2014 10:37:44 +0100 (CET) (envelope-from fabian@wenks.ch) Message-ID: <52D7A867.7070607@wenks.ch> Date: Thu, 16 Jan 2014 10:37:43 +0100 From: Fabian Wenk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: UNS: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <21199.26019.698585.355699@hergotha.csail.mit.edu> <868uuid7y3.fsf@nine.des.no> In-Reply-To: <868uuid7y3.fsf@nine.des.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 09:37:48 -0000 Hello Dag-Erling On 14.01.2014 14:11, Dag-Erling Smørgrav wrote: > Garrett Wollman writes: >> For a "pure" client, I would suggest "restrict default ignore" ought >> to be the norm. (Followed by entries to unrestrict localhost over v4 >> and v6.) > > Pure clients shouldn't use ntpd(8). They should use sntp(8) or a > lightweight NTP client like ttsntpd. I think it is a bad advice, then ntpd is much nicer to NTP servers (mainly the NTP Pool), then sntp is. I am running a few NTP servers which are also in the NTP Pool and I do volunteer to be also in the tr (Turkey) zone. In Turkey there is one large telecommunication company with a lot of CPEs which are doing sntp requests quite often. Even if the IP addresses for the Pool are rotated quickly, they are all using the same few DNS server to resolve and those hammering the same few IP address at the same time. It is quite well visible in my graphs [1] with the large peaks. The quiet stable ground traffic is from nice ntpd clients which are distributed evenly on the NTP Pool. [1] http://www.home4u.ch/ntp/ bye Fabian