Date: Fri, 14 Mar 2014 09:38:50 -0600 From: Brett Glass <brett@lariat.org> To: Fabian Wenk <fabian@wenks.ch>, freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <201403141700.LAA21140@mail.lariat.net> In-Reply-To: <52D7A944.70604@wenks.ch> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Everyone: Two months after this vulnerability was announced, we're still seeing attempts to use the NTP "monitor" query to execute and amplify DDoS attacks. Unfortunately, FreeBSD, in its default configuration, will amplify the attacks if not patched and will still relay them (by sending "rejection" packets), obfuscating the source of the attack, if the system is patched using freebsd-update but the default ntp.conf file is not changed. To avoid this, it's necessary to change /etc/ntp.conf to include the following lines: # Stop amplification attacks via NTP servers disable monitor restrict default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict 127.127.1.0 # Note: Comment out these lines on machines without IPv6 restrict -6 default kod nomodify notrap nopeer noquery restrict -6 ::1 We've tested this configuration on our servers and it successfully prevents the latest patches of FreeBSD 9.x and 10.0 from participating in a DDoS attack, either as a relay or as an amplifier. Some of our own systems which were probed prior to the time we secured them are still receiving a large stream of attack packets, apparently from a botnet. I'd recommend that the lines above be included in the default /etc/ntp.conf in all future releases, and that all systems that use the default ntp.conf without modification be patched automatically via freebsd-update. --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403141700.LAA21140>