Date: Fri, 21 Mar 2014 12:08:40 +0100 From: Remko Lodder <remko@FreeBSD.org> To: "Info / RIT.lt" <info@rit.lt> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, Micheas Herman <m@micheas.net> Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <AD479A36-993D-442A-AA07-AB52D8198624@FreeBSD.org> In-Reply-To: <bf87380c6cba4318aefb740a2f2ae69e@DBXPR06MB318.eurprd06.prod.outlook.com> References: <201403210421.WAA05406@mail.lariat.net> <CAJw6ijkqBTzcD-WyOQtiU3=R2W8fZjKR=qo5AW9836fOkyNudQ@mail.gmail.com>, <201403210444.WAA05541@mail.lariat.net> <bf87380c6cba4318aefb740a2f2ae69e@DBXPR06MB318.eurprd06.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 21 Mar 2014, at 11:41, Info / RIT.lt <info@rit.lt> wrote: > Dear FreeBSD users, my first experience with FreeBSD was 14 years ago, but due to hardware problems I chose Linux. After working with Linux for 14 years, I decided to give a shot to FreeBSD again. After setting up FreeBSD server with jails, I became a victim of DDoS which was launched from my dedicated server, investigation led to NTP server, this misconfiguration left with default settings shocked me, please fix this configuration bug. > > Firewall is for filtering traffic, but not for hiding buggy configs. > > Regards, > Mindaugas Bubelis I kept silent so far, but this lets me frown a bit. We all know that there are people on the internet that try to hurt our businesses, 24*7*365. All unprotected networks and hosts are targeted, 24*7*365. It is -very- common practise to setup a security perimeter, to only allow traffic you want to have to your machine(s) and only let out traffic you want from your machine(s). I worked for large scale ISP’s, and we all did the same. Reading the mails from this thread leads me to believe that there is no stateful firewall concept in place? Only allow the network you want to your NTP server(s) and deny the others. Only let our your NTP server’s to the internet to retrieve the date. Do that statefully and only traffic you send out should come back with the last line mentioned, it is hard from the internet seen to hijack such a session and fool the firewall from letting the packet back in to your NTP server. In my believing it is so that if you do not filter traffic, you are making a deliberate choice to let everyone smack your service(s). That is not a problem but you also need to modify your configuration(s) to make sure it is as safe as it gets. We (FreeBSD) updated the ntpd.conf file that is shipped as a Security Patch so that users running our update facilities have that in place. However since people also change their configurations on their own or do not use that, they need to be aware that they need to update the rules as well! We do not want to enforce our configuration changes to users who might have a good reason for having an alternative setup! The only thing I saw from Brett that might need investigation is the additional 'disable monitor’, though would that break people’s setup ? are people using that on purpose for some reason? Then we cannot enforce it, just advice that this might be an solution to prevent issues. In my understanding and believing, stateful firewalling your networks is the best option, making sure that only your own machines or a selected set of machines can access NTP resources on your network (or the internet, whatever you prefer) and that traffic leaving your borders can only return if the firewall sees that you setup the communication in the first place. In the above case: did you install the FreeBSD-release and never updated? Then that is something -you- should have done. Installing something via delivered media is always out of date and needs to be updated before first use. Thank you. Remko > ________________________________________ > From: owner-freebsd-security@freebsd.org <owner-freebsd-security@freebsd.org> on behalf of Brett Glass <brett@lariat.org> > Sent: Friday, March 21, 2014 6:44 AM > To: Micheas Herman; freebsd-security@freebsd.org > Subject: Re: NTP security hole CVE-2013-5211? > > At 10:38 PM 3/20/2014, Micheas Herman wrote: > >> While true, that does mean that amplification attacks are limited to being >> able to attack those ten machines. > > The amplifier/relay is also a victim, and can be completely disabled by the attack > if its link to the Net becomes saturated. > > --Brett Glass > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTLB24AAoJEKjD27JZ84ywn1QP/1S8TeNgFM/WUKAtMVhcO7ij f6U4Dch4fEW+Z5xj9vWqL2rQ7spACWXDYGYa5EtdNMWNBUOtDAoqHPp6jkZdg9wq i5ZMj5N6NAKRt2lP48fzHqjNW8OM7ZHShzb+7azwZvoILBNXnS+l1iRljz7/+xL/ 4vGaj07H+Cbd8kh2A69BvXEmnDq7GKEPl1DDUe3L/LK1QckXIbe759Q+5Fq5/lC/ PdNqUOfseMNKAeZ4KVYqdoWPtCBQDy6Jt9x+m/8yfq3IOkAZp9AtGb1VPpiMcCEn yrwis/H6XGB0AlYt9VyXoQSFRHVN5V1q/SOWzPwaQ28xzHkZ5gV5uzPj9xMu8BQc kxJxDQ6T2Md3nUug/pW9YMMz7uJT0Lsaw2hjsko5r1dUzfGY7QZKciP5Hyix7FGS nK7W99GhTWzGqCVkdx0q+Yf6a8xMT8sUEk+IoOU55RJ3zyhrJgAtl1Zv/3IfJE+i GRV5RzH37aHyk6TjuJk5T2mYckqdKFvNRdaY5CV+l9tEogVKo6z6aW9g8tTYJRkk DeHd1jZpVKhjFiwg6epIeh4GW3ijK+Rp/vyGm6i/OheG62j3Y+Kuus87OMb3+7m9 cKwhfzbKNMVjmWKOprKYP47Wi+BZmqvr2e+A96iWxSFIjV17w59VcrYNGxVrDIFe l3EiqWYCuA0Iz6YHob4E =2fay -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AD479A36-993D-442A-AA07-AB52D8198624>