In message <[email protected]>, Brett Glass <[email protected]> wrote:
>... >And the need to do so is becoming more urgent. Just over the past 24 hours, >I am seeing attempted attacks on our servers in which the forged packets >have source port 123. Obviously, they're counting on users having "secured" >their systems with firewall rules that this will bypass. >... >And, as you state above, outbound queries should use randomized ephemeral >source ports as with DNS. This involves a patch to the ntpd that's shipped >with FreeBSD, because it is currently compiled to use source port 123. I'm no expert, but I'll go out on a limb here anyway and say that the choice to make NTP outbound queries always use source port 123 is, as far as I can see, really really ill-advised. Did we learn nothing from all of the bruhaha a couple of years ago about DNS amplification attacks and the ways that were finally settled on to effectively thwart them (most specifically the randomization of query source ports)? I dearly hope that someone on this list who does in fact have commit privs will jump on this Right Away. I'm not persuaded that running a perfectly configured ipfw... statefully, no less... should be an absolute prerequsite for running any Internet-connected FreeBSD-based device that simply wishes to always know the correct time. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
