[OpenIndiana-discuss] Avoiding the NTP amplification exploit

Saso Kiselkov skiselkov.ml at gmail.com
Wed Feb 12 17:43:26 UTC 2014


On 2/12/14, 5:35 PM, Bob Friesenhahn wrote:
> On Wed, 12 Feb 2014, Saso Kiselkov wrote:
>>
>> Prudent advice, yes, but I can't think of any situation where an openly
>> accessible NTP service on an Internet-facing machine that isn't
>> *specifically* configured to be an NTP server isn't a case of bad admin
>> negligence. *All* Internet-facing machines should be running ipfilters
>> and only open up ports for the services they are designed to provide.
> 
> That is pretty harsh.  I had a FreeBSD system which was attacked by this
> exploit a couple of months ago and it took down my Internet connection
> (massive packet loss) until I figured out the cause.  That system still
> receives millions of NTP packets per day (which are now tossed).
> 
> There is no warning in the NTP documentation about the software
> automatically acting like a "server" and NTP is pretty much a peer-peer
> protocol so it is reasonable to leave that port open on the firewall
> since some NTP clients might not be properly configured yet to use a
> local NTP server.  Regardless, the protocol being exploited does not
> seem to be normal NTP itself but an admin-related protocol.

What services was the system providing? Was NTP one of them? If not,
then why were you not running ipf? Always use layered defenses, minimize
attack surfaces and don't assume services are configured properly out of
the box, or that they are without bugs.

Cheers,
-- 
Saso



More information about the OpenIndiana-discuss mailing list