On 21 Mar 2014, at 11:41, Info / RIT.lt <[email protected]> wrote: > Dear FreeBSD users, my first experience with FreeBSD was 14 years ago, but > due to hardware problems I chose Linux. After working with Linux for 14 > years, I decided to give a shot to FreeBSD again. After setting up FreeBSD > server with jails, I became a victim of DDoS which was launched from my > dedicated server, investigation led to NTP server, this misconfiguration left > with default settings shocked me, please fix this configuration bug. > > Firewall is for filtering traffic, but not for hiding buggy configs. > > Regards, > Mindaugas Bubelis
I kept silent so far, but this lets me frown a bit. We all know that there are people on the internet that try to hurt our businesses, 24*7*365. All unprotected networks and hosts are targeted, 24*7*365. It is -very- common practise to setup a security perimeter, to only allow traffic you want to have to your machine(s) and only let out traffic you want from your machine(s). I worked for large scale ISP’s, and we all did the same. Reading the mails from this thread leads me to believe that there is no stateful firewall concept in place? Only allow the network you want to your NTP server(s) and deny the others. Only let our your NTP server’s to the internet to retrieve the date. Do that statefully and only traffic you send out should come back with the last line mentioned, it is hard from the internet seen to hijack such a session and fool the firewall from letting the packet back in to your NTP server. In my believing it is so that if you do not filter traffic, you are making a deliberate choice to let everyone smack your service(s). That is not a problem but you also need to modify your configuration(s) to make sure it is as safe as it gets. We (FreeBSD) updated the ntpd.conf file that is shipped as a Security Patch so that users running our update facilities have that in place. However since people also change their configurations on their own or do not use that, they need to be aware that they need to update the rules as well! We do not want to enforce our configuration changes to users who might have a good reason for having an alternative setup! The only thing I saw from Brett that might need investigation is the additional 'disable monitor’, though would that break people’s setup ? are people using that on purpose for some reason? Then we cannot enforce it, just advice that this might be an solution to prevent issues. In my understanding and believing, stateful firewalling your networks is the best option, making sure that only your own machines or a selected set of machines can access NTP resources on your network (or the internet, whatever you prefer) and that traffic leaving your borders can only return if the firewall sees that you setup the communication in the first place. In the above case: did you install the FreeBSD-release and never updated? Then that is something -you- should have done. Installing something via delivered media is always out of date and needs to be updated before first use. Thank you. Remko > ________________________________________ > From: [email protected] <[email protected]> > on behalf of Brett Glass <[email protected]> > Sent: Friday, March 21, 2014 6:44 AM > To: Micheas Herman; [email protected] > Subject: Re: NTP security hole CVE-2013-5211? > > At 10:38 PM 3/20/2014, Micheas Herman wrote: > >> While true, that does mean that amplification attacks are limited to being >> able to attack those ten machines. > > The amplifier/relay is also a victim, and can be completely disabled by the > attack > if its link to the Net becomes saturated. > > --Brett Glass > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected]" > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected]" -- /"\ Best regards, | [email protected] \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: Message signed with OpenPGP using GPGMail
