Date: Tue, 31 Dec 2013 17:25:06 GMT From: Brian Rak <brak@constant.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/185371: NTPD vulnerable to being used for DDOS Message-ID: <201312311725.rBVHP6dM021874@oldred.freebsd.org> Resent-Message-ID: <201312311730.rBVHU0kE021304@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 185371 >Category: misc >Synopsis: NTPD vulnerable to being used for DDOS >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 31 17:30:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Brian Rak >Release: 9.1.0 >Organization: >Environment: FreeBSD XXXX 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: The FreeBSD default ntp.conf makes the NTP server vulnerable to being used for a DDOS attack. Please see: http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks https://isc.sans.edu/diary/NTP+reflection+attack/17300 https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks The issue is in this configuration file: http://svnweb.freebsd.org/base/release/9.2.0/etc/ntp.conf?revision=255898&view=markup All the restrict lines are commented out (for reasons I'm unsure of, the comments don't make any sense). >How-To-Repeat: To determine if a server is vulnerable: ntpdc -c monlist SERVERIP If you see a list of hosts, rather then 'timed out, nothing received', the machine can be exploited in this way. >Fix: You can replace all the existing (commented) restrict lines with the following: restrict default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 This configuration will allow the NTP daemon to function correctly both as a client and server, and prevent it from being abused in this way. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201312311725.rBVHP6dM021874>