Date: Thu, 20 Mar 2014 14:28:10 -0600 From: Brett Glass <brett@lariat.org> To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <201403202028.OAA01351@mail.lariat.net> In-Reply-To: <44680.1395343983@server1.tristatelogic.com> References: <201403201719.LAA29320@mail.lariat.net> <44680.1395343983@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:33 PM 3/20/2014, Ronald F. Guilmette wrote: >I agree entirely with every part of that statement except one. > >In the immortal words of the Lone Ranger's trusted sidekick (Tonto)... >"What do you mean WE kimo sabe?" > >I personally don't have commit privledges for any part of FreeBSD. > >Other than that, yes, all outbound NTP queries really should be sent out >on high numbered ports, well and truly away from 123. (And also, the >outbound port number should be well and truly randomized, I should think. >If it's good for the goose, i.e. DNS, then it's probably good for the >gander too.) Well, I'm afraid that I do not have a commit bit either (I've been sending contributions of code and patches to those who do), so all I can do is suggest that the community do it. Hence the "we." And the need to do so is becoming more urgent. Just over the past 24 hours, I am seeing attempted attacks on our servers in which the forged packets have source port 123. Obviously, they're counting on users having "secured" their systems with firewall rules that this will bypass. >Of course, if this *is* messed up, then I guess that I'll have to remove >my firewall rule, and diddle my /etc/ntp.conf file at the same time, in >order to make sure that the Evil Ones don't come back and use & abuse me >again. IMHO, you should diddle /etc/ntp.conf as I mentioned in my earlier message AND use stateful firewall rules (IPFW works fine for this) to ensure that you only accept incoming NTP packets which are answers to your own queries. And, as you state above, outbound queries should use randomized ephemeral source ports as with DNS. This involves a patch to the ntpd that's shipped with FreeBSD, because it is currently compiled to use source port 123. (Back in the days of FreeBSD 5.x and 6.x, it used ephemeral source ports, but not now.) --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403202028.OAA01351>