[OpenIndiana-discuss] Avoiding the NTP amplification exploit

Laurent Blume laurent+oi at elanor.org
Thu Feb 13 10:49:35 UTC 2014


Le 2014/02/13 11:35 +0100, Bob Friesenhahn a écrit:
> On Wed, 12 Feb 2014, Saso Kiselkov wrote:
>>
>> Prudent advice, yes, but I can't think of any situation where an openly
>> accessible NTP service on an Internet-facing machine that isn't
>> *specifically* configured to be an NTP server isn't a case of bad admin
>> negligence. *All* Internet-facing machines should be running ipfilters
>> and only open up ports for the services they are designed to provide.
>
> That is pretty harsh.

It's also pretty much true, and plenty of security standards require 
enforcement of that basic policy.

> I had a FreeBSD system which was attacked by this
> exploit a couple of months ago and it took down my Internet connection
> (massive packet loss) until I figured out the cause.  That system still
> receives millions of NTP packets per day (which are now tossed).
>
> There is no warning in the NTP documentation about the software
> automatically acting like a "server" and NTP is pretty much a peer-peer
> protocol

Not really, no. Correct time is not a consensus. NTP definitely has a 
strict top-down hierarchy, not a flat P2P one. But it is indeed 
difficult to fully grasp it, and sadly, Solaris already has a long track 
record of not caring much to provide correct defaults.

> so it is reasonable to leave that port open on the firewall
> since some NTP clients might not be properly configured yet to use a
> local NTP server.  Regardless, the protocol being exploited does not
> seem to be normal NTP itself but an admin-related protocol.

All firewalls are now stateful, even for non connected protocols.  You 
don't need to allow *incoming* NTP traffic on UDP/123 to allow 
*outgoing* traffic. So that's not really a valid reason.

Laurent







More information about the OpenIndiana-discuss mailing list