Everyone:
Two months after this vulnerability was announced, we're still
seeing attempts to use the NTP "monitor" query to execute and
amplify DDoS attacks. Unfortunately, FreeBSD, in its default
configuration, will amplify the attacks if not patched and will
still relay them (by sending "rejection" packets), obfuscating the
source of the attack, if the system is patched using freebsd-update
but the default ntp.conf file is not changed.
To avoid this, it's necessary to change /etc/ntp.conf to include
the following lines:
# Stop amplification attacks via NTP servers
disable monitor
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict 127.127.1.0
# Note: Comment out these lines on machines without IPv6
restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1
We've tested this configuration on our servers and it successfully
prevents the latest patches of FreeBSD 9.x and 10.0 from
participating in a DDoS attack, either as a relay or as an amplifier.
Some of our own systems which were probed prior to the time we
secured them are still receiving a large stream of attack packets,
apparently from a botnet.
I'd recommend that the lines above be included in the default
/etc/ntp.conf in all future releases, and that all systems that use
the default ntp.conf without modification be patched automatically
via freebsd-update.
--Brett Glass
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
