On Wed, 12 Feb 2014, Saso Kiselkov wrote:
Prudent advice, yes, but I can't think of any situation where an openly accessible NTP service on an Internet-facing machine that isn't *specifically* configured to be an NTP server isn't a case of bad admin negligence. *All* Internet-facing machines should be running ipfilters and only open up ports for the services they are designed to provide.
That is pretty harsh. I had a FreeBSD system which was attacked by this exploit a couple of months ago and it took down my Internet connection (massive packet loss) until I figured out the cause. That system still receives millions of NTP packets per day (which are now tossed).
There is no warning in the NTP documentation about the software automatically acting like a "server" and NTP is pretty much a peer-peer protocol so it is reasonable to leave that port open on the firewall since some NTP clients might not be properly configured yet to use a local NTP server. Regardless, the protocol being exploited does not seem to be normal NTP itself but an admin-related protocol.
Bob -- Bob Friesenhahn [email protected], http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ _______________________________________________ OpenIndiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
