From owner-freebsd-security@FreeBSD.ORG Fri Mar 14 20:27:28 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8BC7D3C6 for ; Fri, 14 Mar 2014 20:27:28 +0000 (UTC) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 44AE5AEE for ; Fri, 14 Mar 2014 20:27:27 +0000 (UTC) Received: from [IPv6:2001:7b8:3a7::1827:eacd:6af9:9196] (unknown [IPv6:2001:7b8:3a7:0:1827:eacd:6af9:9196]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 608635C45; Fri, 14 Mar 2014 21:27:19 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: NTP security hole CVE-2013-5211? From: Dimitry Andric In-Reply-To: <201403141700.LAA21140@mail.lariat.net> Date: Fri, 14 Mar 2014 21:27:00 +0100 Message-Id: <106CC1B8-932F-44CD-B307-C5B470359ABD@FreeBSD.org> References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> <201403141700.LAA21140@mail.lariat.net> To: Brett Glass X-Mailer: Apple Mail (2.1874) X-Mailman-Approved-At: Fri, 14 Mar 2014 21:01:11 +0000 Cc: freebsd-security@freebsd.org, Fabian Wenk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2014 20:27:28 -0000 --Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 14 Mar 2014, at 16:38, Brett Glass wrote: > Two months after this vulnerability was announced, we're still seeing = attempts to use the NTP "monitor" query to execute and amplify DDoS = attacks. Unfortunately, FreeBSD, in its default configuration, will = amplify the attacks if not patched and will still relay them (by sending = "rejection" packets), obfuscating the source of the attack, if the = system is patched using freebsd-update but the default ntp.conf file is = not changed. >=20 > To avoid this, it's necessary to change /etc/ntp.conf to include the = following lines: >=20 > # Stop amplification attacks via NTP servers > disable monitor > restrict default kod nomodify notrap nopeer noquery > restrict 127.0.0.1 > restrict 127.127.1.0 > # Note: Comment out these lines on machines without IPv6 > restrict -6 default kod nomodify notrap nopeer noquery > restrict -6 ::1 >=20 > We've tested this configuration on our servers and it successfully = prevents the latest patches of FreeBSD 9.x and 10.0 from participating = in a DDoS attack, either as a relay or as an amplifier. >=20 > Some of our own systems which were probed prior to the time we secured = them are still receiving a large stream of attack packets, apparently = from a botnet. >=20 > I'd recommend that the lines above be included in the default = /etc/ntp.conf in all future releases, and that all systems that use the = default ntp.conf without modification be patched automatically via = freebsd-update. It looks like you missed = http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc = then? Which was released on Jan 14, and has all the instructions how to = patch your system. It also shows this was fixed for all supported = FreeBSD releases. -Dimitry --Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iEYEARECAAYFAlMjZhwACgkQsF6jCi4glqObRwCg7cZjUNLp401rWUNu6PrVunvu wVEAoOL0+VXdiGWQkIXIWWOipY56b7Vt =Li5p -----END PGP SIGNATURE----- --Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5--