[OpenIndiana-discuss] Avoiding the NTP amplification exploit
Saso Kiselkov
skiselkov.ml at gmail.com
Wed Feb 12 14:48:20 UTC 2014
On 2/12/14, 2:43 PM, Gary Mills wrote:
> For those who haven't already heard about this NTP exploit, it begins
> with a single UDP packet sent to a computer running the NTP service.
> With the default configuration, a monlist query will result in many
> packets being returned to the source of the query. All it takes is a
> spoofed source address to turn this into a DOS attack. You can read
> about it here:
>
> http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
>
> The solution is here:
>
> http://support.ntp.org/bin/view/Support/AccessRestrictions
>
> I'm attaching the changes I made to my ntp.conf to avoid this problem.
Prudent advice, yes, but I can't think of any situation where an openly
accessible NTP service on an Internet-facing machine that isn't
*specifically* configured to be an NTP server isn't a case of bad admin
negligence. *All* Internet-facing machines should be running ipfilters
and only open up ports for the services they are designed to provide.
Anyway, you're right on the changes to ntp.conf and I have to wonder why
this wasn't the default in the ntp package to begin with.
Just my two cents...
Cheers,
--
Saso
More information about the OpenIndiana-discuss
mailing list