[OpenIndiana-discuss] Avoiding the NTP amplification exploit
Laurent Blume
laurent+oi at elanor.org
Thu Feb 13 10:49:35 UTC 2014
Le 2014/02/13 11:35 +0100, Bob Friesenhahn a écrit:
> On Wed, 12 Feb 2014, Saso Kiselkov wrote:
>>
>> Prudent advice, yes, but I can't think of any situation where an openly
>> accessible NTP service on an Internet-facing machine that isn't
>> *specifically* configured to be an NTP server isn't a case of bad admin
>> negligence. *All* Internet-facing machines should be running ipfilters
>> and only open up ports for the services they are designed to provide.
>
> That is pretty harsh.
It's also pretty much true, and plenty of security standards require
enforcement of that basic policy.
> I had a FreeBSD system which was attacked by this
> exploit a couple of months ago and it took down my Internet connection
> (massive packet loss) until I figured out the cause. That system still
> receives millions of NTP packets per day (which are now tossed).
>
> There is no warning in the NTP documentation about the software
> automatically acting like a "server" and NTP is pretty much a peer-peer
> protocol
Not really, no. Correct time is not a consensus. NTP definitely has a
strict top-down hierarchy, not a flat P2P one. But it is indeed
difficult to fully grasp it, and sadly, Solaris already has a long track
record of not caring much to provide correct defaults.
> so it is reasonable to leave that port open on the firewall
> since some NTP clients might not be properly configured yet to use a
> local NTP server. Regardless, the protocol being exploited does not
> seem to be normal NTP itself but an admin-related protocol.
All firewalls are now stateful, even for non connected protocols. You
don't need to allow *incoming* NTP traffic on UDP/123 to allow
*outgoing* traffic. So that's not really a valid reason.
Laurent
More information about the OpenIndiana-discuss
mailing list