From owner-freebsd-security@FreeBSD.ORG  Sat Mar 15 09:32:02 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 5BA6F27F;
 Sat, 15 Mar 2014 09:32:02 +0000 (UTC)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
 by mx1.freebsd.org (Postfix) with ESMTP id EE4DC2E9;
 Sat, 15 Mar 2014 09:32:01 +0000 (UTC)
Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost
 [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id DAA29130;
 Sat, 15 Mar 2014 03:31:39 -0600 (MDT)
Message-Id: <201403150931.DAA29130@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sat, 15 Mar 2014 03:30:41 -0600
To: d@delphij.net, d@delphij.net, Fabian Wenk <fabian@wenks.ch>,
 freebsd-security@freebsd.org
From: Brett Glass <brett@lariat.org>
Subject: Re: NTP security hole CVE-2013-5211?
In-Reply-To: <5323E670.5020905@delphij.net>
References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org>
 <52CEAD69.6090000@grosbein.net>
 <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org>
 <52CF82C0.9040708@delphij.net>
 <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com>
 <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch>
 <201403141700.LAA21140@mail.lariat.net>
 <5323AF47.9080107@delphij.net>
 <201403150343.VAA27172@mail.lariat.net>
 <5323E670.5020905@delphij.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: Ollivier Robert <roberto@freebsd.org>, hackers@lists.ntp.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 09:32:02 -0000

At 11:34 PM 3/14/2014, Xin Li wrote:

>I can't reproduce with fresh install.  How did you tested it (or what
>is missing in the default ntp.conf), can you elaborate?

I have tested it under actual attack.

Without the lines I mentioned in /etc/ntp.conf, the server will respond
to monitor queries with rejection packets of the same size as the attack
packets. If the source addresses of the attack packets are spoofed, the
attack is relayed.

--Brett Glass