Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-14-2014, 12:28 PM
|
#1
|
Senior Member
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
|
US Cert: TA14-013A: NTP Amplification Attacks Using CVE-2013-5211
Original release date: January 13, 2014 | Last revised: January 14, 2014
Systems Affected
NTP servers
Overview
A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible NTP servers to overwhelm a victim system with UDP traffic.
Description
The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the “monlist” command. The basic attack technique consists of an attacker sending a "get monlist" request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.
Version prior to 4.2.7 may be vulnerable, Slackware stable is at ntp-4.2.6p5, however, I have not seen the problem with the tests found in the CERT Notice (YMMV).
Worth your time to read the entire notice and possibly take action: https://www.us-cert.gov/ncas/alerts/TA14-013A.
Hope this helps some.
|
|
|
01-14-2014, 06:06 PM
|
#2
|
Member
Registered: Mar 2013
Location: Florida, USA
Distribution: Slackware, FreeBSD
Posts: 210
Rep:
|
Thanks! Uh...so now what? "Version prior to 4.2.7" means "every production version of ntpd." So the fix is either a) get the development version, which will be good, but you might be following quality beta releases until the end of time; or b) add "restrict default noquery" and "restrict -6 default noquery" to your ntp.conf file. Tough choice, indeed. ntpd is slightly overdue for a new release, though, so maybe this will get things moving along...
|
|
|
01-14-2014, 06:31 PM
|
#3
|
Member
Registered: Sep 2004
Location: Japan
Distribution: RHEL9.4
Posts: 735
Rep:
|
Suppose you could also switch to ptp.
|
|
|
01-14-2014, 06:43 PM
|
#4
|
Member
Registered: Mar 2013
Location: Florida, USA
Distribution: Slackware, FreeBSD
Posts: 210
Rep:
|
Or chrony, though it doesn't quite have the facilities or reference clocks of ntpd. Still doesn't seem too bad at first glance.
The same CVE at ntp.org has "disable monitor" as a solution, but the separate CVE listed just below it at ntp.org suggests either an upgrade or use of restrict lines as well. The ntp.org version of the CVE is at this support.ntp.org page.
Last edited by mlslk31; 01-14-2014 at 06:47 PM.
Reason: not typing or thinking well tonight...sorry
|
|
|
01-15-2014, 07:48 AM
|
#5
|
Senior Member
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Original Poster
|
The CERT notice provides a...
Quote:
Recommended Course of Action
As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.
To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
|
I suppose that, can't prove it but suppose, adding the recommended directive as above might just do the trick. Until I hear otherwise, I'll take CERT's word for it, I think. Personally, I don't want to do without NTP (nor do I want to buy a GPS reference clock -- pricey buggers, those). Over the years NTP has been pretty reliable, little glitch here, little glitch there, but all-in-all a darned useful piece of software that just sits there mumbling to itself and doing what it's supposed to do. It would not surprise me if somebody noticed this, notified NTP developers and they notified CERT right quick; they've always impressed me as a responsible bunch of folks that take seriously any problems. Can't ask for much more than that, methinks.
NTP is, pretty much, part of the infrastructure and I'm expecting a quick fix -- just the notice about how to fix the problem in existing installations kind of tells you what sort of folks you're dealing with... sorta like Slackware, eh?
Hope this helps some.
|
|
|
01-15-2014, 11:34 AM
|
#6
|
Member
Registered: Nov 2010
Location: Tucson, Arizona US
Distribution: Slackware Current
Posts: 374
Rep:
|
This has already been reported. When I went to add the two lines to /etc/ntp.conf, they were already therein, along with:
# Attempt to baffle cyberweasels.
disable monitor I don't know when I added those, but since it is my habit to keep current on https://isc.sans.edu/diary.html, it was probably reported in there.
For those who wish more information on the US CERT messages, follow the links in ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt. Note the CVE number begins with "2013." Unless you are operating an NTP server facing the Internet, no worries. Systems administrators probably have already fixed their systems; if not, firewall rules should cover it.
I acknowledge the sense of panic these CERT messages may invoke, but, rather than posting last year's news here, do a little research first. Everyone is a little shell-shocked by the recent upsurge in cyberweasel activity, what with 70 million Target customers and Neiman Marcus, before that Adobe.com was raided for who-knows-how-many accounts. Those sociopaths have been actively engaged in criminal activity for decades. They have no Father Figure in their pathetic lives, so they seek a sense of downward self-transcendence via herd intoxication by getting recognition from other sociopaths. I blame secular humanism, which has yet to come up with a way to teach ethics and instill a sense of moral obligation to society. But I digress.
|
|
|
01-15-2014, 01:23 PM
|
#7
|
Member
Registered: Aug 2012
Posts: 484
Rep:
|
Amplification attacks are unfortunately easy to carry out when payload asymmetries with spoofed source addresses can be triggered (e.g. small UDP requests generating large responses).
The good news is Slackware's default ntp config already mitigates monlist amplification attacks:
Code:
# Don't serve time or stats to anyone else by default (more secure)
restrict default noquery nomodify
#
# Trust ourselves. :-)
restrict 127.0.0.1
If, as hpfeil said, you have an internet-facing ntp server, don't become part of the problem by allowing external monlist queries.
Note: ntp 4.2.7 deprecates monlist and introduces mrulist which requires nonce-authenticated client requests. This prevents the ntp server from being used to DoS a victim.
--mancha
|
|
|
01-15-2014, 01:35 PM
|
#8
|
Senior Member
Registered: Mar 2007
Posts: 2,317
|
The correct restrict noquery line has been there since slackware-9.0. But it wouldn't hurt to add another one for IPv6 (similar restrict -6 line).
|
|
|
All times are GMT -5. The time now is 01:14 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|