From owner-freebsd-security@FreeBSD.ORG Thu Mar 20 20:43:32 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1C52018E for ; Thu, 20 Mar 2014 20:43:32 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id F0A63FD5 for ; Thu, 20 Mar 2014 20:43:31 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 3D9643ADFA for ; Thu, 20 Mar 2014 13:41:06 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: URGENT? (was: Re: NTP security hole CVE-2013-5211?) In-Reply-To: <201403202028.OAA01351@mail.lariat.net> Date: Thu, 20 Mar 2014 13:41:06 -0700 Message-ID: <45158.1395348066@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 20:43:32 -0000 In message <201403202028.OAA01351@mail.lariat.net>, Brett Glass wrote: >... >And the need to do so is becoming more urgent. Just over the past 24 hours, >I am seeing attempted attacks on our servers in which the forged packets >have source port 123. Obviously, they're counting on users having "secured" >their systems with firewall rules that this will bypass. >... >And, as you state above, outbound queries should use randomized ephemeral >source ports as with DNS. This involves a patch to the ntpd that's shipped >with FreeBSD, because it is currently compiled to use source port 123. I'm no expert, but I'll go out on a limb here anyway and say that the choice to make NTP outbound queries always use source port 123 is, as far as I can see, really really ill-advised. Did we learn nothing from all of the bruhaha a couple of years ago about DNS amplification attacks and the ways that were finally settled on to effectively thwart them (most specifically the randomization of query source ports)? I dearly hope that someone on this list who does in fact have commit privs will jump on this Right Away. I'm not persuaded that running a perfectly configured ipfw... statefully, no less... should be an absolute prerequsite for running any Internet-connected FreeBSD-based device that simply wishes to always know the correct time.