Date: Fri, 14 Mar 2014 21:27:00 +0100 From: Dimitry Andric <dim@FreeBSD.org> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@freebsd.org, Fabian Wenk <fabian@wenks.ch> Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <106CC1B8-932F-44CD-B307-C5B470359ABD@FreeBSD.org> In-Reply-To: <201403141700.LAA21140@mail.lariat.net> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> <201403141700.LAA21140@mail.lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 14 Mar 2014, at 16:38, Brett Glass <brett@lariat.org> wrote: > Two months after this vulnerability was announced, we're still seeing attempts to use the NTP "monitor" query to execute and amplify DDoS attacks. Unfortunately, FreeBSD, in its default configuration, will amplify the attacks if not patched and will still relay them (by sending "rejection" packets), obfuscating the source of the attack, if the system is patched using freebsd-update but the default ntp.conf file is not changed. > > To avoid this, it's necessary to change /etc/ntp.conf to include the following lines: > > # Stop amplification attacks via NTP servers > disable monitor > restrict default kod nomodify notrap nopeer noquery > restrict 127.0.0.1 > restrict 127.127.1.0 > # Note: Comment out these lines on machines without IPv6 > restrict -6 default kod nomodify notrap nopeer noquery > restrict -6 ::1 > > We've tested this configuration on our servers and it successfully prevents the latest patches of FreeBSD 9.x and 10.0 from participating in a DDoS attack, either as a relay or as an amplifier. > > Some of our own systems which were probed prior to the time we secured them are still receiving a large stream of attack packets, apparently from a botnet. > > I'd recommend that the lines above be included in the default /etc/ntp.conf in all future releases, and that all systems that use the default ntp.conf without modification be patched automatically via freebsd-update. It looks like you missed http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc then? Which was released on Jan 14, and has all the instructions how to patch your system. It also shows this was fixed for all supported FreeBSD releases. -Dimitry [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iEYEARECAAYFAlMjZhwACgkQsF6jCi4glqObRwCg7cZjUNLp401rWUNu6PrVunvu wVEAoOL0+VXdiGWQkIXIWWOipY56b7Vt =Li5p -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?106CC1B8-932F-44CD-B307-C5B470359ABD>