On 04-01-08 23:48, J.A.C.M. (Jos) van de Ven wrote:
> Hi Nelson,
>> I had this problem with my Colo recently, although in my case the
>> abuse report was in response to sysind requests I was sending out on
>> my own initiative. My response was to stop doing my survey.
> This is the snort IDS rule that causes the problem:
> alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT
> ntpdx overflow attempt"; dsize:>128; reference:arachnids,492;
> reference:cve,2001-0414; classtype:attempted-admin; sid:312;
> rev:6; fwsam: src, 1 day;)
> ...
> You are right that it is kind of stupid and the rule should be left out in
> the future.
>
> My English and knowledge of ntp is not good enough but maybe someone can
> make a false positive report at:
Dropping ntp packages > 128 bytes by default seems reasonable to me. I
expect my time server to be used by systems requesting time, not by systems
requesting all kind of system information beyond my control. Why would
people want more info about my system, if they use a random server?
Regardless of (currently known or unknown) security holes in your
ntp-server, by dropping everything that is not a normal time request you are
sure that you have closed that attack route. Note that your snort rule gives
exact information about the abuse that was possible with ntpd v4.0 with a
non-time request: "reference:cve,2001-0414" ("Impact Type: Provides
administrator access" sounds serious to me).
As normal time requests are not hindered by the snort rule, and there has
been a serious problem in the past for which the snort rule protects you, I
consider this not a false positive.
Arnold
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
