misc/185371: NTPD vulnerable to being used for DDOS
Brian Rak
brak at constant.com
Tue Dec 31 17:30:00 UTC 2013
>Number: 185371
>Category: misc
>Synopsis: NTPD vulnerable to being used for DDOS
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 31 17:30:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Brian Rak
>Release: 9.1.0
>Organization:
>Environment:
FreeBSD XXXX 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
The FreeBSD default ntp.conf makes the NTP server vulnerable to being used for a DDOS attack.
Please see:
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
https://isc.sans.edu/diary/NTP+reflection+attack/17300
https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
The issue is in this configuration file:
http://svnweb.freebsd.org/base/release/9.2.0/etc/ntp.conf?revision=255898&view=markup
All the restrict lines are commented out (for reasons I'm unsure of, the comments don't make any sense).
>How-To-Repeat:
To determine if a server is vulnerable:
ntpdc -c monlist SERVERIP
If you see a list of hosts, rather then 'timed out, nothing received', the machine can be exploited in this way.
>Fix:
You can replace all the existing (commented) restrict lines with the following:
restrict default kod limited nomodify notrap nopeer noquery
restrict -6 default kod limited nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
This configuration will allow the NTP daemon to function correctly both as a client and server, and prevent it from being abused in this way.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list