From owner-freebsd-security@FreeBSD.ORG Tue Jan 14 13:54:29 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9E1EAED3; Tue, 14 Jan 2014 13:54:29 +0000 (UTC) Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0E2261710; Tue, 14 Jan 2014 13:54:28 +0000 (UTC) Received: by mail-we0-f177.google.com with SMTP id x55so395676wes.8 for ; Tue, 14 Jan 2014 05:54:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JxDEwVOn1HgDksymeJxe+I22PRvHIbKSEfr9/mzh3Rs=; b=R/OYA4Lx0o5qLMpIA8RZt4QQKGE7jm4BF8a+i+7JzW2ZnrjxcbQD79/P6imS1112oP hxuIZFEt7KPeayUtg33vbuM1f4igSK5myY113TgFjYT/9558rNFi4Ym7g734Lmp4m/UZ eSPNyPd4EwK/7bOIR1j9u2Rzv6bRKadf5XyDUJJzbWcc6GsDNCQCdx62JV6qjXyDr+WY 6vY3Lxdfh1xdoEODR8bD3K0h4a1/keVHBJB//Aepc5i/vpeiLwlayUXuun5GxgsNg4ZX FoEawYPFQgfk5kAaujz32WLwr9n06Y3Wc8XkgBRsgdNsECHQL/Oo/gtSRYKxhN/H3SrI qFzw== MIME-Version: 1.0 X-Received: by 10.180.14.37 with SMTP id m5mr3085269wic.46.1389707667464; Tue, 14 Jan 2014 05:54:27 -0800 (PST) Received: by 10.194.81.8 with HTTP; Tue, 14 Jan 2014 05:54:27 -0800 (PST) In-Reply-To: <86d2jud85v.fsf@nine.des.no> References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <86d2jud85v.fsf@nine.des.no> Date: Tue, 14 Jan 2014 14:54:27 +0100 Message-ID: Subject: Re: NTP security hole CVE-2013-5211? From: Cristiano Deana To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-security@freebsd.org, Palle Girgensohn , Xin LI X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 13:54:29 -0000 On Tue, Jan 14, 2014 at 2:06 PM, Dag-Erling Sm=F8rgrav wrote: Hi, > I tried several workaround with config and policy, and ended up you MUST > > have 4.2.7 to stop these kind of attacks. > > Doesn't "restrict noquery" block monlist in 4.2.6? I didn't try. Following this document: https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks "Currently the best available solution is to update to NTP 4.2.7p26 for which the support of 'monlist' query has been removed in favor of new safe 'mrunlist' function which uses a nonce value ensuring that received IP address match the actual requester" I upgraded directly to net/ntp-devel, skipping net/ntp. That has been published in first days of DDoS discovering, maybe now it's more clear how the vuln works. --=20 Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/