From owner-freebsd-security@FreeBSD.ORG Fri Mar 14 17:00:54 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D4B453D6 for ; Fri, 14 Mar 2014 17:00:54 +0000 (UTC) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 88851306 for ; Fri, 14 Mar 2014 17:00:54 +0000 (UTC) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id LAA21140; Fri, 14 Mar 2014 11:00:34 -0600 (MDT) Message-Id: <201403141700.LAA21140@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 14 Mar 2014 09:38:50 -0600 To: Fabian Wenk , freebsd-security@freebsd.org From: Brett Glass Subject: Re: NTP security hole CVE-2013-5211? In-Reply-To: <52D7A944.70604@wenks.ch> References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2014 17:00:54 -0000 Everyone: Two months after this vulnerability was announced, we're still seeing attempts to use the NTP "monitor" query to execute and amplify DDoS attacks. Unfortunately, FreeBSD, in its default configuration, will amplify the attacks if not patched and will still relay them (by sending "rejection" packets), obfuscating the source of the attack, if the system is patched using freebsd-update but the default ntp.conf file is not changed. To avoid this, it's necessary to change /etc/ntp.conf to include the following lines: # Stop amplification attacks via NTP servers disable monitor restrict default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict 127.127.1.0 # Note: Comment out these lines on machines without IPv6 restrict -6 default kod nomodify notrap nopeer noquery restrict -6 ::1 We've tested this configuration on our servers and it successfully prevents the latest patches of FreeBSD 9.x and 10.0 from participating in a DDoS attack, either as a relay or as an amplifier. Some of our own systems which were probed prior to the time we secured them are still receiving a large stream of attack packets, apparently from a botnet. I'd recommend that the lines above be included in the default /etc/ntp.conf in all future releases, and that all systems that use the default ntp.conf without modification be patched automatically via freebsd-update. --Brett Glass