After some more investigation, I think we should just add "disable monitor" to nixos' ntpd.conf. It seems the monitoring functionality is not needed for normal operation so it was a mistake (upstream) to enable it by default. However, it is not a security vulnerability for the system itself, so no patch/fix is done for stable.
Development releases seem to happen way too often, so tracking those is not a good solution. Since we already suffer from option-bloat, I suggest we add the line unconditionally, unless someone actually uses this feature. In that case I'm happy to create an option with a big fat warning description. Please let me know. On Mon, Feb 24, 2014 at 5:27 PM, Mathijs Kwik <[email protected]> wrote: > Hi all, > > Our ntpd version (stable, 2011) contains a feature called 'monlist', > which is enabled by default. This feature has recently been abused by > huge ntp-amplification ddos attacks. > > However, the vulnerability has only been fixed in the development > version and security firms recommend upgrading to that (at least > v4.2.7p26, 03/2010 release, so not really bleeding edge). > > Another option is to disable the problematic 'monlist' service in our > current version by adding a line to the config file "disable > monitor". However, the replacement 'mrulist' functionality is only > available in the development release, so just disabling monlist probably > cripples operations (I'm not very familiar with ntp). > > Given the fact that the stable release hasn't been updated with a fix, I > would suggest we start following development releases for ntp, because > there are probably other issues lurking in stable. > Does anyone object to that? Or does anyone propose a different solution? > > http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks > > Regards, > Mathijs _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
