閱讀文章 - 看板 FB_security

發信人dim@FreeBSD.org (Dimitry Andric),

看板FB_security

標題Re: NTP security hole CVE-2013-5211?

發信站NCTU CS FreeBSD Server (Sat Mar 15 05:27:00 2014)

轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow

--Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 14 Mar 2014, at 16:38, Brett Glass <brett@lariat.org> wrote: > Two months after this vulnerability was announced, we're still seeing = attempts to use the NTP "monitor" query to execute and amplify DDoS = attacks. Unfortunately, FreeBSD, in its default configuration, will = amplify the attacks if not patched and will still relay them (by sending = "rejection" packets), obfuscating the source of the attack, if the = system is patched using freebsd-update but the default ntp.conf file is = not changed. >=20 > To avoid this, it's necessary to change /etc/ntp.conf to include the = following lines: >=20 > # Stop amplification attacks via NTP servers > disable monitor > restrict default kod nomodify notrap nopeer noquery > restrict 127.0.0.1 > restrict 127.127.1.0 > # Note: Comment out these lines on machines without IPv6 > restrict -6 default kod nomodify notrap nopeer noquery > restrict -6 ::1 >=20 > We've tested this configuration on our servers and it successfully = prevents the latest patches of FreeBSD 9.x and 10.0 from participating = in a DDoS attack, either as a relay or as an amplifier. >=20 > Some of our own systems which were probed prior to the time we secured = them are still receiving a large stream of attack packets, apparently = from a botnet. >=20 > I'd recommend that the lines above be included in the default = /etc/ntp.conf in all future releases, and that all systems that use the = default ntp.conf without modification be patched automatically via = freebsd-update. It looks like you missed = http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc = then? Which was released on Jan 14, and has all the instructions how to = patch your system. It also shows this was fixed for all supported = FreeBSD releases. -Dimitry --Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iEYEARECAAYFAlMjZhwACgkQsF6jCi4glqObRwCg7cZjUNLp401rWUNu6PrVunvu wVEAoOL0+VXdiGWQkIXIWWOipY56b7Vt =Li5p -----END PGP SIGNATURE----- --Apple-Mail=_D39B6696-BA2C-49E6-8250-6CB78DDFBAA5--