NTP security hole CVE-2013-5211?

Remko Lodder remko at FreeBSD.org
Fri Mar 21 11:08:45 UTC 2014 

On 21 Mar 2014, at 11:41, Info / RIT.lt <info at rit.lt> wrote:

> Dear FreeBSD users, my first experience with FreeBSD was 14 years ago, but due to hardware problems I chose Linux. After working with Linux for 14 years, I decided to give a shot to FreeBSD again. After setting up FreeBSD server with jails, I became a victim of DDoS which was launched from my dedicated server, investigation led to NTP server, this misconfiguration left with default settings shocked me, please fix this configuration bug.
> 
> Firewall is for filtering traffic, but not for hiding buggy configs.
> 
> Regards,
> Mindaugas Bubelis

I kept silent so far, but this lets me frown a bit.

We all know that there are people on the internet that try to hurt our businesses, 24*7*365.
All unprotected networks and hosts are targeted, 24*7*365.

It is -very- common practise to setup a security perimeter, to only allow traffic you want to have to your machine(s)
and only let out traffic you want from your machine(s). I worked for large scale ISP’s, and we all did the same.

Reading the mails from this thread leads me to believe that there is no stateful firewall concept in place?

Only allow the network you want to your NTP server(s) and deny the others.
Only let our your NTP server’s to the internet to retrieve the date.

Do that statefully and only traffic you send out should come back with the last line mentioned, it is hard from the internet seen
to hijack such a session and fool the firewall from letting the packet back in to your NTP server.

In my believing it is so that if you do not filter traffic, you are making a deliberate choice to let everyone smack your service(s).
That is not a problem but you also need to modify your configuration(s) to make sure it is as safe as it gets. We (FreeBSD) updated
the ntpd.conf file that is shipped as a Security Patch so that users running our update facilities have that in place. However since
people also change their configurations on their own or do not use that, they need to be aware that they need to update the rules as
well! We do not want to enforce our configuration changes to users who might have a good reason for having an alternative setup!

The only thing I saw from Brett that might need investigation is the additional 'disable monitor’, though would that break people’s
setup ? are people using that on purpose for some reason? Then we cannot enforce it, just advice that this might be an solution to
prevent issues.

In my understanding and believing, stateful firewalling your networks is the best option, making sure that only your own machines
or a selected set of machines can access NTP resources on your network (or the internet, whatever you prefer) and that traffic
leaving your borders can only return if the firewall sees that you setup the communication in the first place.

In the above case: did you install the FreeBSD-release and never updated? Then that is something -you- should have done. Installing
something via delivered media is always out of date and needs to be updated before first use.

Thank you.
Remko

> ________________________________________
> From: owner-freebsd-security at freebsd.org <owner-freebsd-security at freebsd.org> on behalf of Brett Glass <brett at lariat.org>
> Sent: Friday, March 21, 2014 6:44 AM
> To: Micheas Herman; freebsd-security at freebsd.org
> Subject: Re: NTP security hole CVE-2013-5211?
> 
> At 10:38 PM 3/20/2014, Micheas Herman wrote:
> 
>> While true, that does mean that amplification attacks are limited to being
>> able to attack those ten machines.
> 
> The amplifier/relay is also a victim, and can be completely disabled by the attack
> if its link to the Net becomes saturated.
> 
> --Brett Glass
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

-- 

/"\   Best regards,                      | remko at FreeBSD.org
\ /   Remko Lodder                       | remko at EFnet
 X    http://www.evilcoder.org/          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140321/63bd84cb/attachment.sig>

More information about the freebsd-security mailing list