On Wed, Feb 12, 2014 at 02:48:20PM +0000, Saso Kiselkov wrote: > On 2/12/14, 2:43 PM, Gary Mills wrote: > > For those who haven't already heard about this NTP exploit, it begins > > with a single UDP packet sent to a computer running the NTP service. > > With the default configuration, a monlist query will result in many > > packets being returned to the source of the query. All it takes is a > > spoofed source address to turn this into a DOS attack. You can read > > about it here: > > > > > > http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks > > > > The solution is here: > > > > http://support.ntp.org/bin/view/Support/AccessRestrictions > > > > I'm attaching the changes I made to my ntp.conf to avoid this problem. > > Prudent advice, yes, but I can't think of any situation where an openly > accessible NTP service on an Internet-facing machine that isn't > *specifically* configured to be an NTP server isn't a case of bad admin > negligence. *All* Internet-facing machines should be running ipfilters > and only open up ports for the services they are designed to provide.
This is curious. The Symantec article says to upgrade to version 4.2.7 to eliminate this exploit. I see that oi_151a9 runs version 4.2.7p411, which I assume is not vulnerable. My Solaris 11.1 desktop only runs version 4.2.5p200, putting it behind the OI version. It likely is vulnerable. > Anyway, you're right on the changes to ntp.conf and I have to wonder why > this wasn't the default in the ntp package to begin with. Yes, the configuration could still be changed in OI to make the service less visible externally. -- -Gary Mills- -refurb- -Winnipeg, Manitoba, Canada- _______________________________________________ OpenIndiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
