From owner-freebsd-security@FreeBSD.ORG Sat Mar 15 17:18:03 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9D816F3D; Sat, 15 Mar 2014 17:18:03 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7D2B7EF0; Sat, 15 Mar 2014 17:18:03 +0000 (UTC) Received: from delphij-macbook.local (c-24-5-244-32.hsd1.ca.comcast.net [24.5.244.32]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id A509B1ED9E; Sat, 15 Mar 2014 10:18:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1394903882; bh=a9ohnwa2smmgDUliYu6yqix4grKodmeZNkBOAaqj3Qo=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=K2vmddoegEr8TUZ6XneBJjNt12w3PtPOkSPGJduWV1Yr2G+KcW7JUzE+QIss5aVX/ AlQAZrRGNehfmpg4zYMWoBc8wymmi+SzpwxXgkXs29IMaxElp3cMVy/gpD7d9mZJqB cHCgGghV5MiHNojKjZ+sWonlUK1SZPSPqGwqktU4= Message-ID: <53248B48.5040108@delphij.net> Date: Sat, 15 Mar 2014 10:18:00 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Brett Glass , d@delphij.net, Fabian Wenk , freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> <201403141700.LAA21140@mail.lariat.net> <5323AF47.9080107@delphij.net> <201403150343.VAA27172@mail.lariat.net> <5323E670.5020905@delphij.net> <201403150931.DAA29130@mail.lariat.net> In-Reply-To: <201403150931.DAA29130@mail.lariat.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Ollivier Robert , hackers@lists.ntp.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Mar 2014 17:18:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 3/15/14, 2:30 AM, Brett Glass wrote: > At 11:34 PM 3/14/2014, Xin Li wrote: > >> I can't reproduce with fresh install. How did you tested it (or >> what is missing in the default ntp.conf), can you elaborate? > > I have tested it under actual attack. > > Without the lines I mentioned in /etc/ntp.conf, the server will > respond to monitor queries with rejection packets of the same size > as the attack Either it wouldn't or my test was wrong. My test was 'ntpdc -c monlist' and tcpdump. > packets. If the source addresses of the attack packets are spoofed, > the attack is relayed. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTJItIAAoJEJW2GBstM+nsSAAP/3L0Z+c+rd5HLDjtVZ2zvjMD rziFxOUDgIqXv/Ph6vxPwgwYQhXWf6/I6Um/Upacb5AiVWffHyogkuBBGuxvGu1T k2Vz0HzCY3HBMJvO/spQ2vbkfKYLuyrZtKJQMuB7B+wO7wdeKX2hAUDoHN4pKPTt uul5B3cUwZmlAa8kyblWSJHf6bmINKjRZ+R+oKQpYwBBm0JaPWxZgKOCceHWrVTy YhK+IcEtosq5Fw5QS17+J3Qh++evyjVtGP0CeanxLsH108aAPU4WJ6yfzynUQeeX B3U8dviQXsT0XrH5U+ADoF0Y+ypUmyRNLtJShkgQhsqTME2iTOYZcotDj1Ads0Tm kgogo21vTfYW5DT9BCqrDyhba2RVdGHrl9VytyLDws6lDbbFllG0J9nrvrh8O+Ow 8VSb/ENePAMuRlYGxsZ9kob436+/sBT4E7TIVuQM0DwVs6dR16tiVxTCdGnFKe1D BYcwEYE9oGUeGXo/S6VMyO8qDtHGHIFomO8o8LXL6EB2dIUAoWlFZsre+HInDOkn TlTaMcOmemS3ylwpoOoaggSV/6JV+k9ks41WHLy2UjEBHM+Ur9DsRgVhNY513Ouj TuNEiBBwZOj3Y7bAOfKAOyKcKRVcY7CeYz1cq/VgLRbiw/pmHMu1TqRafKF0RHi7 Lhu+UUAIZMtHiDms52UZ =xChL -----END PGP SIGNATURE-----