At 01:33 PM 3/20/2014, Ronald F. Guilmette wrote:
I agree entirely with every part of that statement except one.
In the immortal words of the Lone Ranger's trusted sidekick (Tonto)...
"What do you mean WE kimo sabe?"
I personally don't have commit privledges for any part of FreeBSD.
Other than that, yes, all outbound NTP queries really should be sent out
on high numbered ports, well and truly away from 123. (And also, the
outbound port number should be well and truly randomized, I should think.
If it's good for the goose, i.e. DNS, then it's probably good for the
gander too.)
Well, I'm afraid that I do not have a commit bit either (I've been sending
contributions of code and patches to those who do), so all I can do is
suggest that the community do it. Hence the "we."
And the need to do so is becoming more urgent. Just over the past 24 hours,
I am seeing attempted attacks on our servers in which the forged packets
have source port 123. Obviously, they're counting on users having "secured"
their systems with firewall rules that this will bypass.
Of course, if this *is* messed up, then I guess that I'll have to remove
my firewall rule, and diddle my /etc/ntp.conf file at the same time, in
order to make sure that the Evil Ones don't come back and use & abuse me
again.
IMHO, you should diddle /etc/ntp.conf as I mentioned in my earlier message
AND use stateful firewall rules (IPFW works fine for this) to ensure that
you only accept incoming NTP packets which are answers to your own queries.
And, as you state above, outbound queries should use randomized ephemeral
source ports as with DNS. This involves a patch to the ntpd that's shipped
with FreeBSD, because it is currently compiled to use source port 123.
(Back in the days of FreeBSD 5.x and 6.x, it used ephemeral source ports,
but not now.)
--Brett Glass
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
