From owner-freebsd-security@FreeBSD.ORG Tue Mar 18 07:41:21 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6FD4BBA4 for ; Tue, 18 Mar 2014 07:41:21 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 030547A9 for ; Tue, 18 Mar 2014 07:41:20 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s2I7fG8h023648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 18 Mar 2014 07:41:16 GMT (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s2I7fG8h023648 Authentication-Results: smtp.infracaninophile.co.uk/s2I7fG8h023648; dkim=none reason="no signature"; dkim-adsp=none Message-ID: <5327F89C.60606@FreeBSD.org> Date: Tue, 18 Mar 2014 07:41:16 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? References: <29310.1395114987@server1.tristatelogic.com> In-Reply-To: <29310.1395114987@server1.tristatelogic.com> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r" X-Virus-Scanned: clamav-milter 0.98.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Tue, 18 Mar 2014 11:34:52 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2014 07:41:21 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 18/03/2014 03:56, Ronald F. Guilmette wrote: > (It was explained to me at the time that NTP operates a bit like DNS...= > with which I am more familiar... i.e. that all outbound requests origin= ate > on high numbered ports, well and truly away from all low numbered ports= , > including, in particular, 123. I am just re-verifying that my understa= nding > in this regard is correct, and that my current blanket firewall rule is= > fine as it stands.) It's not uncommon for NTP to have both source and destination ports set to 123. This was the standard some years back, but such things as NAT always meant that couldn't be relied on. I don't know if this is still seen as a normal practice, but all the NTP related entries sockstat shows me are bound to port 123 on the local side. Unlike DNS, I don't think there are any particular security penalties to not using a wide range of UDP source ports for NTP. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTJ/icXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATqTUP/jpOcovOIrK+52MZgjZiBw93 6doxctuJa8pcBR6Hj7x76uO0tOYfzOS95RP3SWnEGpmsYJ7HDV6inMQSKc/RmmQA 4Gxs0/HRfE3bZ1DLfWUH7fZQZAVDgl/a7rn5cgr+kXfM27Qdekn5VFiAkT3ALthU mjIcMSVEN2z0SPjIu9gp50lTcGiIlHfneyc74Fia2xUvOYjwv8inqiYm6V6h8AKu dyquDrQdAAsg9bmjhuMZyMhwaZaSlIe7LpVFN17eCT9wbb46QEnR1IKbbxG4LWqH H6NYFiHzy8EK7DTAbYFbynVfK+nPT15gLwDlJEq0TkjwYmjhqFsy7FW5oMBhq9f0 jLKOuU3NAw/tRgZAUuPohJr98WQcvA1DdI0i3GgYYCr64QvJqg/dgChb+B/7eEiQ YkhciLBmgwNP/hI5RtTTmo78XIG28lXgDrHKu+5qdhdJt/v8zoR6c3ML4selfz5A kR4Z8xEEtnSSVQSdXwFBuKbC8skdWk9Il0+jeImduxuOzR8PiaAGbPWVmHygabQt MmlMSHwYiDZ6Wh+7Ua8kgwmpWuabMLaoLN3sUPHku8L9JD1qbLAsiWLUFyAgGHXF nprLPPPCZSmRf+CuMZE8lewM16rtvMeTTzT8yzNeguzoWy8m5uN9LwcXdg2JaFuq ejgaH41VwCvd9HpQzQt9 =VNFS -----END PGP SIGNATURE----- --nJbI9T20nskbMJvo0DOFr0iOjOFM1ED0r--