From owner-freebsd-security@FreeBSD.ORG Sat Mar 22 14:54:29 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 63AF5E4A for ; Sat, 22 Mar 2014 14:54:29 +0000 (UTC) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 1A76E601 for ; Sat, 22 Mar 2014 14:54:28 +0000 (UTC) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id IAA22021; Sat, 22 Mar 2014 08:54:13 -0600 (MDT) Message-Id: <201403221454.IAA22021@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 22 Mar 2014 08:48:40 -0600 To: Ian Smith , "Ronald F. Guilmette" From: Brett Glass Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?) In-Reply-To: <20140322182402.Q83569@sola.nimnet.asn.au> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 14:54:29 -0000 At 02:34 AM 3/22/2014, Ian Smith wrote: >In that specific ruleset - for one specific purpose, remember - no. In >general yes; in a ruleset containing other rules, check-state should be >placed where you want packets tested against all active dynamic rules. This is correct. And that's awkward, because you might not want all of these checks in one place. Also, if there are many dynamic rules this will slow traffic down quite a bit. It's a general security principle that the daemons included with an OS should be secure on their own; they shouldn't, by default, require protection by a firewall. This is certainly true of ntpd, which is part of the base FreeBSD distribution. The FreeBSD Project should set a good example, and conform to industry best practices, by making the system secure by default. This means including a default daemon configuration that is resistant to relaying and amplification of attacks. Adding the "disable monitor" and "kod" options to ntp.conf is a start, but sourcing queries from random source ports is much more important. It would create negligible overhead (because NTP queries have much lower volume than DNS) and would allow the daemon to defend ITSELF from abuse rather than relying on a stateful firewall. As you've mentioned, Apple already does this in Darwin, a FreeBSD derivative. I haven't checked the latest releases of OpenBSD and NetBSD, but the older machines I have running these OSes appear to use randomized high ports for queries. --Brett Glass