[OpenIndiana-discuss] Avoiding the NTP amplification exploit

[Gary Mills]

On Wed, Feb 12, 2014 at 02:48:20PM +0000, Saso Kiselkov wrote:
> On 2/12/14, 2:43 PM, Gary Mills wrote:
> > For those who haven't already heard about this NTP exploit, it begins
> > with a single UDP packet sent to a computer running the NTP service.
> > With the default configuration, a monlist query will result in many
> > packets being returned to the source of the query.  All it takes is a
> > spoofed source address to turn this into a DOS attack.  You can read
> > about it here:
> > 
> >     http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
> > 
> > The solution is here:
> > 
> >     http://support.ntp.org/bin/view/Support/AccessRestrictions
> > 
> > I'm attaching the changes I made to my ntp.conf to avoid this problem.
> 
> Prudent advice, yes, but I can't think of any situation where an openly
> accessible NTP service on an Internet-facing machine that isn't
> *specifically* configured to be an NTP server isn't a case of bad admin
> negligence. *All* Internet-facing machines should be running ipfilters
> and only open up ports for the services they are designed to provide.

This is curious.  The Symantec article says to upgrade to version
4.2.7 to eliminate this exploit.  I see that oi_151a9 runs version
4.2.7p411, which I assume is not vulnerable.  My Solaris 11.1 desktop
only runs version 4.2.5p200, putting it behind the OI version.  It
likely is vulnerable.

> Anyway, you're right on the changes to ntp.conf and I have to wonder why
> this wasn't the default in the ntp package to begin with.

Yes, the configuration could still be changed in OI to make the
service less visible externally.

-- 
-Gary Mills-		-refurb-		-Winnipeg, Manitoba, Canada-