Re: NTP security hole CVE-2013-5211?

At 11:18 AM 3/15/2014, Xin Li wrote:

>Either it wouldn't or my test was wrong.  My test was 'ntpdc -c
>monlist' and tcpdump.

My test was to actually expose the server to the attack I was
experiencing. Note that these packets might not have been
exactly the same ones that are sent by ntpdc.

For every packet it received, the server sent a rejection to the
source IP, which was spoofed. The relaying stopped when I added
the lines I mentioned in my previous message to the configuration
file.

It is good practice to have those lines in the file anyway, to
provide effective access control. If one does not intend to be
running a public NTP server, the server should not be open
to the world; in fact, it should probably be behind a stateful
firewall that does not accept packets destined for UDP port
123 from the Internet at large unless they are known to be
responses to queries. I've implemented this in the IPFW rules
of all of my servers.

--Brett Glass 

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"