URGENT? (was: Re: NTP security hole CVE-2013-5211?)
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Mar 20 20:43:32 UTC 2014
In message <201403202028.OAA01351 at mail.lariat.net>,
Brett Glass <brett at lariat.org> wrote:
>...
>And the need to do so is becoming more urgent. Just over the past 24 hours,
>I am seeing attempted attacks on our servers in which the forged packets
>have source port 123. Obviously, they're counting on users having "secured"
>their systems with firewall rules that this will bypass.
>...
>And, as you state above, outbound queries should use randomized ephemeral
>source ports as with DNS. This involves a patch to the ntpd that's shipped
>with FreeBSD, because it is currently compiled to use source port 123.
I'm no expert, but I'll go out on a limb here anyway and say that the choice
to make NTP outbound queries always use source port 123 is, as far as I can
see, really really ill-advised. Did we learn nothing from all of the bruhaha
a couple of years ago about DNS amplification attacks and the ways that
were finally settled on to effectively thwart them (most specifically the
randomization of query source ports)?
I dearly hope that someone on this list who does in fact have commit privs
will jump on this Right Away. I'm not persuaded that running a perfectly
configured ipfw... statefully, no less... should be an absolute prerequsite
for running any Internet-connected FreeBSD-based device that simply wishes
to always know the correct time.
More information about the freebsd-security
mailing list