oss-sec mailing list archives
Re: CVE to the ntp monlist DDoS issue?
From: Xin Li <delphij () delphij net>
Date: Mon, 30 Dec 2013 22:37:01 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/30/13, 4:46 AM, Mike O'Connor wrote:
There's a recent rash of DDoS involving the monlist functionality in older ntp.org ntp. Has anyone thought about assigning a CVE to this? It looks like the issue may have been addressed back in 2010, but only in the context of ntp.org's "dev" tree, not "stable". http://bugs.ntp.org/show_bug.cgi?id=1532 https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks Both as a mitigation to this attack and a best practice, I think all public facing ntpd should configured to have 'nomodify nopeer noquery notrap' as default restrictions. Something like: === restrict default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 === Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSwmYNAAoJEJW2GBstM+nsyqIP/2H6C6DFUqN1y0gApoEy3iKg JR6UjMmaOMLCNl6uXIQ730sSf9YxY5l+L1he0BI/q4+rCXN11E+2cLrAFHnNU/I4 sR07wsM26COTxgdpqrEE32h4ODjyz9d3NPipXAvZsfMRy2DHrxEhPRGpBfmyjIjj JjVB6YU/rN57zgOu5zVq4GUR71KlYgL05M2wEyg+QItk2T7Tyvtt0UhBUgE8lzrp wjSlHuaAkatsk9+Z2zJCVPkEF6261ewCFCJ7Qs5QIWMyRI3THDS+V5BCDMH3/7RT R8LvXE0InEpW4Nu8EtbmoutVLy5P1yoCJyHFEa5GkmzqE3BEY7wteEj9aRb723Ae CucZeYUG8dIw+bHe1fYI7bzhUXrJvYeVUaUqEKAqv9udi7iplHJoln2N1fDdNce6 leGxd6iCTNGikW4urdDPm6tSIdR8LuY4ifULAKQOa7jyKsnYplvwCiMpxN/HdDud /FStQW+OcvEVj7Carx9LwNdTb7HnW1G7EurBFJNKZ+Q37HyAwdz+omfapkqFJfjX bPVN2qbgUyc1/dTY+Cy/Z/2MEK7PPthmcxwXKNDS6+qEyQTc7cT1giO0xyCsiC05 d6Yh0QKLCf0KPrWWuGmgMnQIT2ki9EQunEcZMbseLWhSq0hhzvwhMYBqV0dE9Fki VAiGvTbqac+6LWN3VLo9 =UVX1 -----END PGP SIGNATURE-----
Current thread:
- CVE to the ntp monlist DDoS issue? Mike O'Connor (Dec 30)
- Re: CVE to the ntp monlist DDoS issue? cve-assign (Dec 30)
- Re: Re: CVE to the ntp monlist DDoS issue? Moritz Muehlenhoff (Dec 30)
- Re: Re: CVE to the ntp monlist DDoS issue? Florian Weimer (Dec 30)
- Re: Re: CVE to the ntp monlist DDoS issue? Moritz Muehlenhoff (Dec 30)
- Re: CVE to the ntp monlist DDoS issue? Xin Li (Dec 30)
- Re: CVE to the ntp monlist DDoS issue? cve-assign (Dec 30)