Date: Thu, 20 Mar 2014 13:41:06 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-security@freebsd.org Subject: URGENT? (was: Re: NTP security hole CVE-2013-5211?) Message-ID: <45158.1395348066@server1.tristatelogic.com> In-Reply-To: <201403202028.OAA01351@mail.lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <201403202028.OAA01351@mail.lariat.net>, Brett Glass <brett@lariat.org> wrote: >... >And the need to do so is becoming more urgent. Just over the past 24 hours, >I am seeing attempted attacks on our servers in which the forged packets >have source port 123. Obviously, they're counting on users having "secured" >their systems with firewall rules that this will bypass. >... >And, as you state above, outbound queries should use randomized ephemeral >source ports as with DNS. This involves a patch to the ntpd that's shipped >with FreeBSD, because it is currently compiled to use source port 123. I'm no expert, but I'll go out on a limb here anyway and say that the choice to make NTP outbound queries always use source port 123 is, as far as I can see, really really ill-advised. Did we learn nothing from all of the bruhaha a couple of years ago about DNS amplification attacks and the ways that were finally settled on to effectively thwart them (most specifically the randomization of query source ports)? I dearly hope that someone on this list who does in fact have commit privs will jump on this Right Away. I'm not persuaded that running a perfectly configured ipfw... statefully, no less... should be an absolute prerequsite for running any Internet-connected FreeBSD-based device that simply wishes to always know the correct time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45158.1395348066>