On 14 Mar 2014, at 16:38, Brett Glass <br...@lariat.org> wrote: > Two months after this vulnerability was announced, we're still seeing > attempts to use the NTP "monitor" query to execute and amplify DDoS attacks. > Unfortunately, FreeBSD, in its default configuration, will amplify the > attacks if not patched and will still relay them (by sending "rejection" > packets), obfuscating the source of the attack, if the system is patched > using freebsd-update but the default ntp.conf file is not changed. > > To avoid this, it's necessary to change /etc/ntp.conf to include the > following lines: > > # Stop amplification attacks via NTP servers > disable monitor > restrict default kod nomodify notrap nopeer noquery > restrict 127.0.0.1 > restrict 127.127.1.0 > # Note: Comment out these lines on machines without IPv6 > restrict -6 default kod nomodify notrap nopeer noquery > restrict -6 ::1 > > We've tested this configuration on our servers and it successfully prevents > the latest patches of FreeBSD 9.x and 10.0 from participating in a DDoS > attack, either as a relay or as an amplifier. > > Some of our own systems which were probed prior to the time we secured them > are still receiving a large stream of attack packets, apparently from a > botnet. > > I'd recommend that the lines above be included in the default /etc/ntp.conf > in all future releases, and that all systems that use the default ntp.conf > without modification be patched automatically via freebsd-update.
It looks like you missed http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc then? Which was released on Jan 14, and has all the instructions how to patch your system. It also shows this was fixed for all supported FreeBSD releases. -Dimitry
signature.asc
Description: Message signed with OpenPGP using GPGMail
