View previous topic :: View next topic |
Author |
Message |
ChrisJumper Advocate
Joined: 12 Mar 2005 Posts: 2390 Location: Germany
|
Posted: Fri Jan 17, 2014 10:40 pm Post subject: DRDoS with net-misc/ntp |
|
|
DRDoS Amplification Attack Using ntpdc monlist command
NTP users are strongly urged to take immediate action to ensure that their NTP daemon is not susceptible to use in a reflected denial-of-service (DRDoS) attack.
http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
Since there is no 4.2.6_p26 in portage, and you run an open ntp server (ntpd for sharing your time) you should disable the monitor function in your servers
Edit /etc/ntp.conf and add
Code: |
disable monitor
restrict noquery |
then restart your Server.
http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict
Quote: |
disable
disable [auth | bclient | calibrate | kernel | monitor | ntp | pps | stats]
Provides a way to enable or disable various system options. Flags not mentioned are unaffected. Note that most of these flags can be modified remotely using ntpq utility program's :config and config-from-file commands.
...
monitor
Enables the monitoring facility. See the ntpq program and the monstats and mrulist commands, as well as the Access Control Options for details. The monitoring facility is also enabled by the presence of limited in any restrict commands. The default for this flag is enable.
|
Quote: |
restrict address [mask mask] [flag][...]
The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.
Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following
....
noquery
Deny ntpq and ntpdc queries. Time service is not affected.
|
Check out
support.ntp.org - Access Restrictions for extensive Settings about Access Restrictions
or
support.ntp.org - ConfiguringAutokey describe a method to use a Key on your server and your clients to authenticate themselves. |
|
Back to top |
|
|
gotyaoi Tux's lil' helper
Joined: 01 Apr 2013 Posts: 137
|
Posted: Sat Jan 18, 2014 8:54 am Post subject: |
|
|
According to the notice, you could use either or
to mitigate this, and If I recall correctly, the default ntp.conf includes Code: | restrict default nomodify nopeer noquery limited kod |
so unless you've changed that, you're good. It also looks like the 4.2.7 series is the development version, so that will probably make it into the tree when it's more stable. |
|
Back to top |
|
|
kadrim n00b
Joined: 23 Nov 2004 Posts: 10 Location: Germany
|
Posted: Mon Jan 20, 2014 11:36 am Post subject: |
|
|
gotyaoi wrote: | to mitigate this, and If I recall correctly, the default ntp.conf includes Code: | restrict default nomodify nopeer noquery limited kod |
so unless you've changed that, you're good. It also looks like the 4.2.7 series is the development version, so that will probably make it into the tree when it's more stable. |
alas, this is not the Default ntp.conf (checked 3 Servers where i never changed this).
so you would have to add noquery yourself.
EDIT: correction: it is the new Default as per Version ntp-4.2.6_p5-r10 (01 Jan 2014) |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
aevertett n00b
Joined: 23 Jun 2014 Posts: 4
|
Posted: Mon Jun 23, 2014 2:23 pm Post subject: |
|
|
I have recently completed a couple of security scans on our in-house GPS referenced NTP network time server and all reported that we should update to NTP 4.2.7 in order to solve the DRDoS amplification attack using ntpdc monlist command issue. However, I have noticed that the latest production version of NTP is 4.2.6 and that NTP 4.2.7 is only a development version. I feel uncomfortable with updating to a development version of NTP - has anyone else had similar issues ? We're using a GPS NTP Server from TimeTools.
Regards, Eve |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|