From owner-freebsd-security@FreeBSD.ORG  Thu Jan  7 00:37:41 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 26FFD1065698
	for <freebsd-security@freebsd.org>;
	Thu,  7 Jan 2010 00:37:41 +0000 (UTC)
	(envelope-from Harlan.Stenn@pfcs.com)
Received: from gwc.pfcs.com (gwc.pfcs.com [70.88.151.226])
	by mx1.freebsd.org (Postfix) with ESMTP id EE0468FC19
	for <freebsd-security@freebsd.org>;
	Thu,  7 Jan 2010 00:37:40 +0000 (UTC)
Received: from spike.pfcs.com (localhost.pfcs.com [127.0.0.1])
	by gwc.pfcs.com (Postfix) with ESMTP id 36C8128438;
	Wed,  6 Jan 2010 19:18:20 -0500 (EST)
To: freebsd-security@freebsd.org
From: Harlan Stenn <stenn@ntp.org>
In-Reply-To: FreeBSD Security Advisories's (security-advisories@freebsd.org)
	message dated Wed, 06 Jan 2010 22:55:36.
	<201001062255.o06MtanW089116@freefall.freebsd.org> 
X-Face: "csXK}xnnsH\h_ce`T#|pM]tG,
	6Xu.{3Rb\]&XJgVyTS'w{E+|-(}n<m88'RZQA.<2]zo&R
	I8nHuPumSNjsAN&WGhll?v}1#%)~2%QI~4Vs%IuWb#OmZmKck_1Ee&C\k&vJ}BWx:Bb#Mx8>:c(Cc*
	$cbtusxDP6T)Hr'k&zrwq0.3&~bAI~YJco[r.mE+K|(q]F=ZNXug:s6tyOk{VTqARy0#axm6BWti9C
	d
X-Mailer: MH-E 7.4.2; nmh 1.2; XEmacs 21.4 (patch 22)
Mime-Version: 1.0 (generated by tm-edit 1.8)
Content-Type: text/plain; charset=US-ASCII
Date: Wed, 06 Jan 2010 19:18:20 -0500
Sender: Harlan.Stenn@pfcs.com
Message-Id: <20100107001820.36C8128438@gwc.pfcs.com>
X-Mailman-Approved-At: Thu, 07 Jan 2010 00:49:29 +0000
Cc: stenn@ntp.org
Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory
	FreeBSD-SA-10:02.ntpd
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jan 2010 00:37:41 -0000

Not quite...

> II.  Problem Description
> 
> If ntpd receives a mode 7 (MODE_PRIVATE) request or error response

it's a *malformed* mode 7 request, or an error response ...

Normal mode 7 requests have been (and are) handled just fine and are not
logged by default.

> from a source address not listed in either a 'restrict ... noquery'
> or a 'restrict ... ignore' section it will log the even and send

s/even/event/

> a mode 7 error response.

> IV.  Workaround
> 
> Proper filtering of mode 7 NTP packets by a firewall can limit the
> number of systems used to attack your resources.

If you can find a firewall that will do this, please lemme know.

We haven't found any.

Thanks...

H