NTP security hole CVE-2013-5211?
Dimitry Andric
dim at FreeBSD.org
Fri Mar 14 20:27:28 UTC 2014
On 14 Mar 2014, at 16:38, Brett Glass <brett at lariat.org> wrote:
> Two months after this vulnerability was announced, we're still seeing attempts to use the NTP "monitor" query to execute and amplify DDoS attacks. Unfortunately, FreeBSD, in its default configuration, will amplify the attacks if not patched and will still relay them (by sending "rejection" packets), obfuscating the source of the attack, if the system is patched using freebsd-update but the default ntp.conf file is not changed.
>
> To avoid this, it's necessary to change /etc/ntp.conf to include the following lines:
>
> # Stop amplification attacks via NTP servers
> disable monitor
> restrict default kod nomodify notrap nopeer noquery
> restrict 127.0.0.1
> restrict 127.127.1.0
> # Note: Comment out these lines on machines without IPv6
> restrict -6 default kod nomodify notrap nopeer noquery
> restrict -6 ::1
>
> We've tested this configuration on our servers and it successfully prevents the latest patches of FreeBSD 9.x and 10.0 from participating in a DDoS attack, either as a relay or as an amplifier.
>
> Some of our own systems which were probed prior to the time we secured them are still receiving a large stream of attack packets, apparently from a botnet.
>
> I'd recommend that the lines above be included in the default /etc/ntp.conf in all future releases, and that all systems that use the default ntp.conf without modification be patched automatically via freebsd-update.
It looks like you missed http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc then? Which was released on Jan 14, and has all the instructions how to patch your system. It also shows this was fixed for all supported FreeBSD releases.
-Dimitry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140314/e3c6c479/attachment.sig>
More information about the freebsd-security
mailing list