看板 FB_security 關於我們 聯絡資訊
發信人a.everett.000@gmail.com,
看板FB_security
標 題Re: NTP security hole CVE-2013-5211?
發信站(null) (Wed Apr 2 15:14:39 2014)
轉信站ptt!csnews.cs.nctu!news.cednctu!usenet.blueworldhosting.com!feeder01.b
On Friday, 21 March 2014 23:18:39 UTC, Julian Elischer wrote: > On 3/20/14, 9:20 PM, Brett Glass wrote: >=20 > > At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote: >=20 > > >=20 > >> Starting from these lines in my /etc/ntp.conf file: >=20 > >> >=20 > >> server 0.freebsd.pool.ntp.org iburst >=20 > >> server 1.freebsd.pool.ntp.org iburst >=20 > >> server 2.freebsd.pool.ntp.org iburst >=20 > >> >=20 > >> I resolved each of those three host names to _all_ of its associated >=20 > >> IPv4 addresses. This yielded me the following list: >=20 > >> >=20 > >> 50.116.38.157 >=20 > >> 69.50.219.51 >=20 > >> 69.55.54.17 >=20 > >> 69.167.160.102 >=20 > >> 108.61.73.244 >=20 > >> 129.250.35.251 >=20 > >> 149.20.68.17 >=20 > >> 169.229.70.183 >=20 > >> 192.241.167.38 >=20 > >> 199.7.177.206 >=20 > >> 209.114.111.1 >=20 > >> 209.118.204.201 >=20 >=20 >=20 > You can't use this list because the members of the pool change over time. >=20 >=20 >=20 > you need the following rules placed in the correct places in your ruleset= .. >=20 >=20 >=20 > check-state >=20 > and >=20 > allow udp from me to any 123 out via ${oif} keep-state. >=20 >=20 >=20 > unless a udp packet first exits via the second rule, the first will=20 >=20 > not match >=20 > and will continue on to further rules (which should throw it away one=20 >=20 > hopes). >=20 > Once an outgoing udp packet to 123 has been seen on the second rule, >=20 > any response will be allowed for the next N seconds. (it's some small=20 >=20 > integer from memory) >=20 > any copy o fhtat packet that comes after the timeout will be dropped=20 >=20 > again. >=20 >=20 >=20 >=20 >=20 > > >=20 > > [Snip] >=20 > > >=20 > > All of this is good. However, remember that anyone who can spoof IPs=20 >=20 > > will know >=20 > > that the above addresses are the defaults for any FreeBSD machine=20 >=20 > > and can >=20 > > take advantage of these "holes" in your firewall. >=20 > > >=20 > > --Brett Glass >=20 > > _______________________________________________ >=20 > > freebsd-security@freebsd.org mailing list >=20 > > http://lists.freebsd.org/mailman/listinfo/freebsd-security >=20 > > To unsubscribe, send any mail to=20 >=20 > > "freebsd-security-unsubscribe@freebsd.org" >=20 >=20 >=20 > _______________________________________________ >=20 > freebsd-security@freebsd.org mailing list >=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-security >=20 > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" We had a DDoS attack on one of our servers over the christmas period, which= ate up our bandwidth. Initially, could not find what the problem was until= news began to filter about NTP DDoS attacks over the holiday period. Found= the information here quite useful: http://www.timetools.co.uk/2014/01/20/ntp-reflection-distributed-denial-ser= vice-ddos-attacks/