Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
DRDoS with net-misc/ntp
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ChrisJumper
Veteran
Veteran


Joined: 12 Mar 2005
Posts: 1775
Location: Germany

PostPosted: Fri Jan 17, 2014 10:40 pm    Post subject: DRDoS with net-misc/ntp Reply with quote

DRDoS Amplification Attack Using ntpdc monlist command

NTP users are strongly urged to take immediate action to ensure that their NTP daemon is not susceptible to use in a reflected denial-of-service (DRDoS) attack.

http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using

Since there is no 4.2.6_p26 in portage, and you run an open ntp server (ntpd for sharing your time) you should disable the monitor function in your servers

Edit /etc/ntp.conf and add

Code:

disable monitor
restrict noquery


then restart your Server.

http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict
Quote:

disable
disable [auth | bclient | calibrate | kernel | monitor | ntp | pps | stats]
Provides a way to enable or disable various system options. Flags not mentioned are unaffected. Note that most of these flags can be modified remotely using ntpq utility program's :config and config-from-file commands.
...
monitor
Enables the monitoring facility. See the ntpq program and the monstats and mrulist commands, as well as the Access Control Options for details. The monitoring facility is also enabled by the presence of limited in any restrict commands. The default for this flag is enable.


Quote:

restrict address [mask mask] [flag][...]
The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.
Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following

....
noquery
Deny ntpq and ntpdc queries. Time service is not affected.


Check out
support.ntp.org - Access Restrictions for extensive Settings about Access Restrictions
or
support.ntp.org - ConfiguringAutokey describe a method to use a Key on your server and your clients to authenticate themselves.
Back to top
View user's profile Send private message
gotyaoi
n00b
n00b


Joined: 01 Apr 2013
Posts: 74

PostPosted: Sat Jan 18, 2014 8:54 am    Post subject: Reply with quote

According to the notice, you could use either
Code:
restrict noquery
or
Code:
disable monitor

to mitigate this, and If I recall correctly, the default ntp.conf includes
Code:
restrict default nomodify nopeer noquery limited kod

so unless you've changed that, you're good. It also looks like the 4.2.7 series is the development version, so that will probably make it into the tree when it's more stable.
Back to top
View user's profile Send private message
kadrim
n00b
n00b


Joined: 23 Nov 2004
Posts: 10
Location: Germany

PostPosted: Mon Jan 20, 2014 11:36 am    Post subject: Reply with quote

gotyaoi wrote:
to mitigate this, and If I recall correctly, the default ntp.conf includes
Code:
restrict default nomodify nopeer noquery limited kod

so unless you've changed that, you're good. It also looks like the 4.2.7 series is the development version, so that will probably make it into the tree when it's more stable.


alas, this is not the Default ntp.conf (checked 3 Servers where i never changed this).

so you would have to add noquery yourself.

EDIT: correction: it is the new Default as per Version ntp-4.2.6_p5-r10 (01 Jan 2014)
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5617
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Jan 27, 2014 10:19 pm    Post subject: Reply with quote

thanks for the heads up !


haven't updated & used ntp in a while, will do so now :)
_________________
Unofficial minimal livecd x86/amd64 w/reiser4+truecrypt (by Neo2)
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum