Ask Bj?rn Hansen writes: > So an ntpd "client" is safe from a malicious server? If so then I will > re-enable adding servers to the pool.
If a malicious packet is sent to an ntpd instance from an IP that is caught by a 'restrict ... noquery' packet, which has been published BCP for a while now (which is not to say folks have implemented it), then that packet will be dropped before any of these exploits could be attempted. Please read that sentence carefully. I'm not sure I have written that sentence "excellently". > I'd like to put a post on the ntppool news site so anything you can > add about what the exposure is would be helpful. > It sounds like disabling crypto config and restricting "query" to > networks that are safe with appropriate firewall rules mitigates the > issues, is that correct? Yes. And I'll add that a number of sources are claiming "active exploits and attacks" being in progress - I have heard of *none*. If you know of any, please tell me. I'm also impressed (not positively) by the number of ostensibly reputable sources of news and information who have never contacted NTF or the NTP Project. H -- > > On Dec 21, 2014, at 22:45, Harlan Stenn <[email protected]> wrote: > >=20 > > If you have been following BCP and only allow 'query' from trusted hosts > > you are protected from these attacks. > >=20 > > Sorry I'm not writing more about this. I have a HUGE amount of work to > > do still that is arguably more important than providing supporting > > information to that statement. But anybody who gives a little thought > > to what is going on with these announced problems will see why the above > > is true. > > --=20 > > Harlan Stenn <[email protected]> > > http://networktimefoundation.org - be a member! > >=20 > >=20 > > _______________________________________________ > > pool mailing list > > [email protected] > > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
