NTP security hole CVE-2013-5211?
Matthew Seaman
matthew at FreeBSD.org
Tue Mar 18 07:41:21 UTC 2014
On 18/03/2014 03:56, Ronald F. Guilmette wrote:
> (It was explained to me at the time that NTP operates a bit like DNS...
> with which I am more familiar... i.e. that all outbound requests originate
> on high numbered ports, well and truly away from all low numbered ports,
> including, in particular, 123. I am just re-verifying that my understanding
> in this regard is correct, and that my current blanket firewall rule is
> fine as it stands.)
It's not uncommon for NTP to have both source and destination ports set
to 123. This was the standard some years back, but such things as NAT
always meant that couldn't be relied on. I don't know if this is still
seen as a normal practice, but all the NTP related entries sockstat
shows me are bound to port 123 on the local side.
Unlike DNS, I don't think there are any particular security penalties to
not using a wide range of UDP source ports for NTP.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140318/af9e68c0/attachment.sig>
More information about the freebsd-security
mailing list