Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
DRDoS with net-misc/ntp
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2389
Location: Germany

PostPosted: Fri Jan 17, 2014 10:40 pm    Post subject: DRDoS with net-misc/ntp Reply with quote

DRDoS Amplification Attack Using ntpdc monlist command

NTP users are strongly urged to take immediate action to ensure that their NTP daemon is not susceptible to use in a reflected denial-of-service (DRDoS) attack.

http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using

Since there is no 4.2.6_p26 in portage, and you run an open ntp server (ntpd for sharing your time) you should disable the monitor function in your servers

Edit /etc/ntp.conf and add

Code:

disable monitor
restrict noquery


then restart your Server.

http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict
Quote:

disable
disable [auth | bclient | calibrate | kernel | monitor | ntp | pps | stats]
Provides a way to enable or disable various system options. Flags not mentioned are unaffected. Note that most of these flags can be modified remotely using ntpq utility program's :config and config-from-file commands.
...
monitor
Enables the monitoring facility. See the ntpq program and the monstats and mrulist commands, as well as the Access Control Options for details. The monitoring facility is also enabled by the presence of limited in any restrict commands. The default for this flag is enable.


Quote:

restrict address [mask mask] [flag][...]
The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.
Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following

....
noquery
Deny ntpq and ntpdc queries. Time service is not affected.


Check out
support.ntp.org - Access Restrictions for extensive Settings about Access Restrictions
or
support.ntp.org - ConfiguringAutokey describe a method to use a Key on your server and your clients to authenticate themselves.
Back to top
View user's profile Send private message
gotyaoi
Tux's lil' helper
Tux's lil' helper


Joined: 01 Apr 2013
Posts: 137

PostPosted: Sat Jan 18, 2014 8:54 am    Post subject: Reply with quote

According to the notice, you could use either
Code:
restrict noquery
or
Code:
disable monitor

to mitigate this, and If I recall correctly, the default ntp.conf includes
Code:
restrict default nomodify nopeer noquery limited kod

so unless you've changed that, you're good. It also looks like the 4.2.7 series is the development version, so that will probably make it into the tree when it's more stable.
Back to top
View user's profile Send private message
kadrim
n00b
n00b


Joined: 23 Nov 2004
Posts: 10
Location: Germany

PostPosted: Mon Jan 20, 2014 11:36 am    Post subject: Reply with quote

gotyaoi wrote:
to mitigate this, and If I recall correctly, the default ntp.conf includes
Code:
restrict default nomodify nopeer noquery limited kod

so unless you've changed that, you're good. It also looks like the 4.2.7 series is the development version, so that will probably make it into the tree when it's more stable.


alas, this is not the Default ntp.conf (checked 3 Servers where i never changed this).

so you would have to add noquery yourself.

EDIT: correction: it is the new Default as per Version ntp-4.2.6_p5-r10 (01 Jan 2014)
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Jan 27, 2014 10:19 pm    Post subject: Reply with quote

thanks for the heads up !


haven't updated & used ntp in a while, will do so now :)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
aevertett
n00b
n00b


Joined: 23 Jun 2014
Posts: 4

PostPosted: Mon Jun 23, 2014 2:23 pm    Post subject: Reply with quote

I have recently completed a couple of security scans on our in-house GPS referenced NTP network time server and all reported that we should update to NTP 4.2.7 in order to solve the DRDoS amplification attack using ntpdc monlist command issue. However, I have noticed that the latest production version of NTP is 4.2.6 and that NTP 4.2.7 is only a development version. I feel uncomfortable with updating to a development version of NTP - has anyone else had similar issues ? We're using a GPS NTP Server from TimeTools.

Regards, Eve
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Jun 23, 2014 3:03 pm    Post subject: Reply with quote

ChrisJumper wrote:
Since there is no 4.2.6_p26 in portage, and you run an open ntp server (ntpd for sharing your time) you should disable the monitor function in your servers

Edit /etc/ntp.conf and add

Code:

disable monitor
restrict noquery


https://portal.cert.dfn.de/adv/DFN-CERT-2014-0017/

Quote:
Workaround
Wenn ein Update auf Version 4.2.7 oder höher nicht möglich ist, kann auch die Option "noquery" in der Konfigurationsdatei gesetzt werden, die nach einem Neustart des Dienstes wirksam wird und eine Verarbeitung der Anfrage unterbindet.


so if the noquery setting is an Option in your setup you don't need to go to the unstable/development branch of ntp
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum