URGENT? (was: Re: NTP security hole CVE-2013-5211?)

Mark Andrews marka at isc.org
Sat Mar 22 00:18:02 UTC 2014 

In message <51546.1395432085 at server1.tristatelogic.com>, "Ronald F. Guilmette" 
writes:
> 
> In message <20140322000445.C31989 at sola.nimnet.asn.au>, 
> Ian Smith <smithi at nimnet.asn.au> wrote:
> 
> >As assorted experts have suggested, you need a stateful rule.  It's 
> >really not that hard; if you _only_ needed to protect ntp on udp:
> >
> > kldload ipfw && add 65000 allow ip from any to any	# load null fw
> > ipfw add allow udp from me to any ntp out xmit $outsideif keep-state
> > ipfw add deny udp from any to me ntp in recv $outsideif
> >
> >Done.  Perfectly configured for this one purpose, statefully no less ..
> 
> Sounds great to me!  However I've never really used any of the stateful
> ipfw stuff, so I'm venturing out into what, for me, are unfamiliar waters.
> So I hope you'll be kind and entertain a question or two, to help me
> understand exactly what I'm supposed to do.
> 
> I've just skimmed over the page here:
> 
>    https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
> 
> and my questions are based on the tutorial information I've found there.
> 
> First question:  In addition to what you have written above, may I safely
> assume that I also need an additional rule, somewhere early in my entire
> (numbered) list of rules, that just simply says "check-state"?
> 
> Second question:  In the example text given just about half-way down on
> the web page cited above, within part of a big block of example rules I
> see this:
> 
>    # Allow outbound NTP
>    $cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
> 
> This is more than a little befuddling to me, for one simple reason... I had
> no idea until now that NTP could even make use of TCP, rather than, or in
> addition to UDP.  But I did look in my /etc/services file and saw this:
> 
>       ntp             123/tcp    #Network Time Protocol
>       ntp             123/udp    #Network Time Protocol
> 
> so obviously, yes, both UDP and TCP can be used for the NTP protocol,
> rather like DNS, I gather.

No.  IANA (Jon) just assigned/reserved both UDP and TCP for all
protocols at the time.  HTTP is also listed as UDP and TCP but
it is only TCP with UDP reserved.

> But the example, noted above, as given
> within the FreeBSD Handbook appears to make the assumption that NTP is
> using TCP.  That still leaves me a bit befuddled, because I had assumed...
> until now...  that tcpd would be doing all of its communicating strictly
> via UDP.  (I mean ntpd's use of UDP, rather than TCP, is _the_  essential
> thing that has given rise to all of these NTP reflection attacks, no?
> The IP address spoofing of the intended vctim becomes one helluva lot
> harder if it has to be done within the context of TCP, rather than UDP,
> yes?)
>
> So, um, when, if ever, does ntpd use TCP, rather than UDP, and how would
> a sysadmin running ntpd tell it to use either UDP or TCP?

NTP uses UDP.  Period.

> (My apologies if this is stuff that everybody else already knows.  I sure
> don't.)
> 
> Last question:  Assuming that my local ntpd is strictly and only using
> UDP for all communication, would something like the following be a proper
> set of additions to my current ipfw rules?
> 
>       add 00101 check-state
>       add 00500 pass udp from <localip> 123 to any 123 out via $pif keep-stat
> e
> 
> If not, what should I use instead?
> 
> Thanks in advance for all help & understanding.
> 
> 
> Regards,
> rfg
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the freebsd-security mailing list