Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Mar 2014 22:28:23 +0100
From:      Remko Lodder <remko@FreeBSD.org>
To:        "Ronald F. Guilmette" <rfg@tristatelogic.com>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: NTP security hole CVE-2013-5211?
Message-ID:  <8F3083F1-3A20-4FEC-9969-F9968D87569E@FreeBSD.org>
In-Reply-To: <51381.1395429637@server1.tristatelogic.com>
References:  <51381.1395429637@server1.tristatelogic.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


On 21 Mar 2014, at 20:20, Ronald F. Guilmette <rfg@tristatelogic.com> =
wrote:

>=20
> In message <AD479A36-993D-442A-AA07-AB52D8198624@FreeBSD.org>,=20
> Remko Lodder <remko@FreeBSD.org> wrote:
>=20
>> Reading the mails from this thread leads me to believe that there is =
no
>> stateful firewall concept in place?
>=20
> I am not the poster to whom you were responding (info@rit.lt), however
> speaking only for myself I will confess that yes, in my case at least,
> although I have used ipfw for many years, I have never (until now) =
found
> any compelling need to either understand or make use of any of ipfw's
> stateful capabilities.

Hi Ronald,

That is =91fine=92 ofcourse but makes you vulnerable to the =91crap=92 =
that is hitting
your doorway now. Rest assured that you are already doing a great step =
in at
least filtering your machines and as you demonstrate you are active on
the internet to get the information you need to do it properly. That is =
already
way better then a lot of other people.

A question that pops my mind: Do you think we (security people) needed =
to be
more verbose about why this might have been a good idea? or could we =
have
done a better job in reasoning why stateful has it=92s advantages?

>=20
>> In my believing it is so that if you do not filter traffic, you are
>> making a deliberate choice to let everyone smack your service(s).
>=20
> I personally *do* most certainly filter traffic, and have done, since
> I first connected *any* machine of mine to the Internet.  I can assure
> yoy that I never made any deliberate choice to let everyone smack me
> around.  Nontheless, that clearly did happen, eventually, when =
evil-doers
> decided, relatively recently, to use & abuse me as an NTP reflector, =
but
> my participation in this was not in any sense deliberate on my part, =
and
> arose strictly out of ignorance, for which I am suitably humbled and
> apologetic.

Let me offer my apologies, I did not want to make you feel ignorant or =
anything.

What I meant is that everyone should filter on their machines, or if =
possible
even ahead of their machines at the gateways. Stopping traffic you do =
not want
should occur at the border so that it never ever reaches the machines it =
is not
supposed to reach.

People do make a living in =91pestering=92 you and I (and many others) =
and now
smacking your NTP server(s) is gaining them something, or they wouldn=92t =
just
do it.

My best advice in this case might be that only allowing in the networks =
you
want to have in on your NTP server (Stateful) prevents people that you =
do not
want to have their in the first place. Only letting out the traffic you =
want
(also stateful) prevents bogus replies because they most likely are =
caught at
the firewall already.

Ofcourse the software should be well protected as well, and secteam@ did =
his
best to offer the best solution possible. Though as mentioned by Brett =
for
example we just cannot force the update of ntpd.conf on user machines =
because
every admin could have legitimate reasons for having a configuration in =
place
they decided to have. It=92s risky to change those things and especially =
enforce
them on running machines. Most of his ideas were in the advisory already
except for the =91disable monitor=92 part, which might be reason to =
discuss
whether that makes sense or not.

Thank you,

Remko

>=20
>=20
> Regards,
> rfg
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to =
"freebsd-security-unsubscribe@freebsd.org"

--=20

/"\   Best regards,                      | remko@FreeBSD.org
\ /   Remko Lodder                       | remko@EFnet
 X    http://www.evilcoder.org/          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News


--Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTLK73AAoJEKjD27JZ84ywMpcQAKINH2ZhAOthD+12a6acMRG4
5cDfWQb//28/2Brzxx7O7V/VANxW2gkd+FU+nNP8jaE0yQYfWufEPz4u8ZHqgfJy
hPDCenASgYUJ189vJBODl7WMJw0vpr0mHnK9LEf9VXAX6Y/KhdL5kYxeHSL3qhOk
um72FOqXRry10XttgIIu3aNToNqkV6rbfQp7eHmbsCl/eetN5XDAGnqmr5DKBeLq
WUcwqhuzGPpPQtINH7+sQ24PFE8YtRUP7nIVhIXgffIy+iBMP6J4JY2SUIvyRxtk
SeaLyMhXHW26e3SRTkC6gHhOgS3BsMeOhmSB7OMG3sLPOBw0m4bw1tVAK35nMMws
CqCACV2O3JYr3u9ThlNl7Hke6oCl8P4f3N8LKaWjrH5KLvR6ci9ApLKv2lhFWAzQ
eJN5Xr9ghEzqctsIEeKXgeh+tIqMSDTSsmVrIwV3lgK9tLLtTcnOQ+NouC7IdJa+
5bu8kqfir1/Ih8A9Dh93IKFodzoNGQgN4j0HGtceqWig6BDxopcpycaANYZm/qLw
v9xxsWzuuwuaALfJv1Z/I5EEsjn59UaF8AM0jiE4L8piTq70Zc19KLUTA496zX5/
+8q5jQN9yLxfMkXyjrWSZq0lJGGH8/LLMuCvyXZOdnLuiYSVr6O+qz0DlzxSIJ4g
SjAbXlt1cFY3V+mxIgvV
=nHAw
-----END PGP SIGNATURE-----

--Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8F3083F1-3A20-4FEC-9969-F9968D87569E>