LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-14-2014, 12:28 PM   #1
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
US Cert: TA14-013A: NTP Amplification Attacks Using CVE-2013-5211


Original release date: January 13, 2014 | Last revised: January 14, 2014

Systems Affected

NTP servers

Overview

A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible NTP servers to overwhelm a victim system with UDP traffic.

Description

The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the “monlist” command. The basic attack technique consists of an attacker sending a "get monlist" request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.

Version prior to 4.2.7 may be vulnerable, Slackware stable is at ntp-4.2.6p5, however, I have not seen the problem with the tests found in the CERT Notice (YMMV).

Worth your time to read the entire notice and possibly take action: https://www.us-cert.gov/ncas/alerts/TA14-013A.

Hope this helps some.
 
Old 01-14-2014, 06:06 PM   #2
mlslk31
Member
 
Registered: Mar 2013
Location: Florida, USA
Distribution: Slackware, FreeBSD
Posts: 210

Rep: Reputation: 77
Thanks! Uh...so now what? "Version prior to 4.2.7" means "every production version of ntpd." So the fix is either a) get the development version, which will be good, but you might be following quality beta releases until the end of time; or b) add "restrict default noquery" and "restrict -6 default noquery" to your ntp.conf file. Tough choice, indeed. ntpd is slightly overdue for a new release, though, so maybe this will get things moving along...
 
Old 01-14-2014, 06:31 PM   #3
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: RHEL9.4
Posts: 735

Rep: Reputation: 154Reputation: 154
Suppose you could also switch to ptp.
 
Old 01-14-2014, 06:43 PM   #4
mlslk31
Member
 
Registered: Mar 2013
Location: Florida, USA
Distribution: Slackware, FreeBSD
Posts: 210

Rep: Reputation: 77
Or chrony, though it doesn't quite have the facilities or reference clocks of ntpd. Still doesn't seem too bad at first glance.

The same CVE at ntp.org has "disable monitor" as a solution, but the separate CVE listed just below it at ntp.org suggests either an upgrade or use of restrict lines as well. The ntp.org version of the CVE is at this support.ntp.org page.

Last edited by mlslk31; 01-14-2014 at 06:47 PM. Reason: not typing or thinking well tonight...sorry
 
Old 01-15-2014, 07:48 AM   #5
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Original Poster
Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
The CERT notice provides a...
Quote:
Recommended Course of Action

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.

To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery
I suppose that, can't prove it but suppose, adding the recommended directive as above might just do the trick. Until I hear otherwise, I'll take CERT's word for it, I think. Personally, I don't want to do without NTP (nor do I want to buy a GPS reference clock -- pricey buggers, those). Over the years NTP has been pretty reliable, little glitch here, little glitch there, but all-in-all a darned useful piece of software that just sits there mumbling to itself and doing what it's supposed to do. It would not surprise me if somebody noticed this, notified NTP developers and they notified CERT right quick; they've always impressed me as a responsible bunch of folks that take seriously any problems. Can't ask for much more than that, methinks.

NTP is, pretty much, part of the infrastructure and I'm expecting a quick fix -- just the notice about how to fix the problem in existing installations kind of tells you what sort of folks you're dealing with... sorta like Slackware, eh?

Hope this helps some.
 
Old 01-15-2014, 11:34 AM   #6
hpfeil
Member
 
Registered: Nov 2010
Location: Tucson, Arizona US
Distribution: Slackware Current
Posts: 374
Blog Entries: 1

Rep: Reputation: Disabled
This has already been reported. When I went to add the two lines to /etc/ntp.conf, they were already therein, along with:
# Attempt to baffle cyberweasels.
disable monitor
I don't know when I added those, but since it is my habit to keep current on https://isc.sans.edu/diary.html, it was probably reported in there.

For those who wish more information on the US CERT messages, follow the links in ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt. Note the CVE number begins with "2013." Unless you are operating an NTP server facing the Internet, no worries. Systems administrators probably have already fixed their systems; if not, firewall rules should cover it.

I acknowledge the sense of panic these CERT messages may invoke, but, rather than posting last year's news here, do a little research first. Everyone is a little shell-shocked by the recent upsurge in cyberweasel activity, what with 70 million Target customers and Neiman Marcus, before that Adobe.com was raided for who-knows-how-many accounts. Those sociopaths have been actively engaged in criminal activity for decades. They have no Father Figure in their pathetic lives, so they seek a sense of downward self-transcendence via herd intoxication by getting recognition from other sociopaths. I blame secular humanism, which has yet to come up with a way to teach ethics and instill a sense of moral obligation to society. But I digress.
 
Old 01-15-2014, 01:23 PM   #7
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
Amplification attacks are unfortunately easy to carry out when payload asymmetries with spoofed source addresses can be triggered (e.g. small UDP requests generating large responses).

The good news is Slackware's default ntp config already mitigates monlist amplification attacks:

Code:
# Don't serve time or stats to anyone else by default (more secure)
restrict default noquery nomodify

#
# Trust ourselves.  :-)
restrict 127.0.0.1
If, as hpfeil said, you have an internet-facing ntp server, don't become part of the problem by allowing external monlist queries.

Note: ntp 4.2.7 deprecates monlist and introduces mrulist which requires nonce-authenticated client requests. This prevents the ntp server from being used to DoS a victim.

--mancha
 
Old 01-15-2014, 01:35 PM   #8
Petri Kaukasoina
Senior Member
 
Registered: Mar 2007
Posts: 2,317

Rep: Reputation: 1921Reputation: 1921Reputation: 1921Reputation: 1921Reputation: 1921Reputation: 1921Reputation: 1921Reputation: 1921Reputation: 1921Reputation: 1921Reputation: 1921
The correct restrict noquery line has been there since slackware-9.0. But it wouldn't hurt to add another one for IPv6 (similar restrict -6 line).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
US Cert: TA14-013A: NTP Amplification Attacks Using CVE-2013-5211 tronayne Linux - Security 0 01-15-2014 04:44 AM
US-CERT Alert (TA13-088A) DNS Amplification Attacks (Revised 22 July 2013) tronayne Linux - Security 4 09-20-2013 06:11 AM
[SOLVED] US-CERT Alert TA13-088A: DNS Amplification Attacks tronayne Slackware 11 08-16-2013 12:20 PM
[SOLVED] US-CERT Alert TA13-088A: DNS Amplification Attacks tronayne Linux - Security 0 03-31-2013 04:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration