From owner-freebsd-security@FreeBSD.ORG Tue Jan 14 08:17:55 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 35AD4E44; Tue, 14 Jan 2014 08:17:55 +0000 (UTC) Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9C1061AA0; Tue, 14 Jan 2014 08:17:54 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id hq4so3338189wib.3 for ; Tue, 14 Jan 2014 00:17:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=i2Q53ihxkVpSLk8SGFlFJQZCRER+M9UsTMaJK/gDFX0=; b=nnm7cAeJDS82nH6NHQKbhN/m7BvCrJjKMQFj4YPZjs11IOyU+bBEfb1nATL/7HALES n6dFkF5sZrkS2pvXL+UQdEqpGhcOjkPmi3y0HQKnwYMKOE947LpuRHtXcKvMwhoHaXgb 2IvhPmM5461pTWZxGLX+dP07pUXQTJdLGX0c//Psfy0NwvDJu6QjiXoYcl1jMYhGvdt6 uIzH/O2zFbNTp/3Ny8Abwc8rD1Kh5g0G/0yrR08gaItUpX6FmCJXqLzjQxV3FXisbbQI Bcxg0vF0G51wMFlDSuTPGdryzIKJrgTg1nkoZ6dXoae01RdTMSPG0TlhGBVOQNae+qwj Pmtg== MIME-Version: 1.0 X-Received: by 10.180.14.37 with SMTP id m5mr1520889wic.46.1389687471540; Tue, 14 Jan 2014 00:17:51 -0800 (PST) Received: by 10.194.81.8 with HTTP; Tue, 14 Jan 2014 00:17:51 -0800 (PST) In-Reply-To: <52D44173.1070007@delphij.net> References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <52D44173.1070007@delphij.net> Date: Tue, 14 Jan 2014 09:17:51 +0100 Message-ID: Subject: Re: NTP security hole CVE-2013-5211? From: Cristiano Deana To: Xin LI Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-security@freebsd.org, Palle Girgensohn X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 08:17:55 -0000 On Mon, Jan 13, 2014 at 8:41 PM, Xin Li wrote: Hi Xin, Do you have packet captures? If the configuration I have suggested > didn't stop the attack, you may have a different issue than what we have > found. > Please, take a look here https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks I tried all other mitigation, with limits and all. Only the update worked for me. No, I don0t have any packet capture, and please don't ask for it... i already DoSsed some chinese host in november with 300Mbit of udp flood... > I think it's better to upgrade the version in base AND to write a security > advisory. I wish we could, but 4.2.7 is a moving target right now. > > Most Open Source projects does not provide support to their development > branch or snapshots, and it would be a headache in support prospective, > because once a FreeBSD release is released, we would support it for at > least 12 months (some releases are supported for 24 months or even more). > I understand, thank you. In the other case we have *potentially* a new system tha can be used for DoS out of the box. Thanks, Cris -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/