[OpenIndiana-discuss] Avoiding the NTP amplification exploit
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Wed Feb 12 17:35:25 UTC 2014
On Wed, 12 Feb 2014, Saso Kiselkov wrote:
>
> Prudent advice, yes, but I can't think of any situation where an openly
> accessible NTP service on an Internet-facing machine that isn't
> *specifically* configured to be an NTP server isn't a case of bad admin
> negligence. *All* Internet-facing machines should be running ipfilters
> and only open up ports for the services they are designed to provide.
That is pretty harsh. I had a FreeBSD system which was attacked by
this exploit a couple of months ago and it took down my Internet
connection (massive packet loss) until I figured out the cause. That
system still receives millions of NTP packets per day (which are now
tossed).
There is no warning in the NTP documentation about the software
automatically acting like a "server" and NTP is pretty much a
peer-peer protocol so it is reasonable to leave that port open on the
firewall since some NTP clients might not be properly configured yet
to use a local NTP server. Regardless, the protocol being exploited
does not seem to be normal NTP itself but an admin-related protocol.
Bob
--
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
More information about the OpenIndiana-discuss
mailing list