[request] ntp upgrade
Hi, is it possible to include in base system of the upcoming 10.0 the new version of ntp (4.2.7 instead of 4.2.4)? There is a bug in older versions (< 4.2.7) who allows attacker use an ntp server to DDoS. This has been corrected in new version: https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks This attack seems to be increasing in the last few weeks. net/ntp-devel is Ok. Thank you, sorry for my basic english. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: [request] ntp upgrade
On Wed, Nov 27, 2013 at 3:29 PM, Cristiano Deana wrote: > Hi, > > is it possible to include in base system of the upcoming 10.0 the new > version of ntp (4.2.7 instead of 4.2.4)? > > There is a bug in older versions (< 4.2.7) who allows attacker use an ntp > server to DDoS. This has been corrected in new version: > https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks > > This attack seems to be increasing in the last few weeks. > > net/ntp-devel is Ok. > > Thank you, sorry for my basic english. > ntp 4.2.4p8 isn't vulnerable. http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html The reflection attack is the first in the list, 4.2.4p7 and below are affected. Cheers Tom ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: [request] ntp upgrade
On Wed, Nov 27, 2013 at 5:06 PM, Tom Evans wrote: > > There is a bug in older versions (< 4.2.7) who allows attacker use an ntp > > server to DDoS. This has been corrected in new version: > > https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks > > > > This attack seems to be increasing in the last few weeks. > > > > net/ntp-devel is Ok. > > > ntp 4.2.4p8 isn't vulnerable. > > http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html > > The reflection attack is the first in the list, 4.2.4p7 and below are > affected. Thank you, Tom for your quick reply. That is not the same bug. I had two ntpd with 4.2.4p8 used the last days to DDoS. I found the link below, used net/ntp-devel and the abuse was gone. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: [request] ntp upgrade
On Wed, Nov 27, 2013 at 4:10 PM, Cristiano Deana wrote: > On Wed, Nov 27, 2013 at 5:06 PM, Tom Evans wrote: > >> >> > There is a bug in older versions (< 4.2.7) who allows attacker use an >> > ntp >> > server to DDoS. This has been corrected in new version: >> > https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks >> > >> > This attack seems to be increasing in the last few weeks. >> > >> > net/ntp-devel is Ok. >> >> >> ntp 4.2.4p8 isn't vulnerable. >> >> http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html >> >> The reflection attack is the first in the list, 4.2.4p7 and below are >> affected. > > > > Thank you, Tom for your quick reply. > > That is not the same bug. I had two ntpd with 4.2.4p8 used the last days to > DDoS. I found the link below, used net/ntp-devel and the abuse was gone. > Does it have a CVE? The article is low on content :( Cheers Tom ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: [request] ntp upgrade
On Wed, Nov 27, 2013 at 4:29 PM, Cristiano Deana wrote: > Hi, > > is it possible to include in base system of the upcoming 10.0 the new > version of ntp (4.2.7 instead of 4.2.4)? > > There is a bug in older versions (< 4.2.7) who allows attacker use an ntp > server to DDoS. This has been corrected in new version: > https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks Thanks for this URL, I've meet this problem on my FreeBSD 9.2 few weeks ago (public NTP registered in the pool.ntp.org). There is a thread on the ntp.org ML about this too: http://lists.ntp.org/pipermail/pool/2013-November/thread.html Regards, Olivier ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: [request] ntp upgrade
On Wed, Nov 27, 2013 at 6:21 PM, Tom Evans wrote: > Does it have a CVE? The article is low on content > > I don't think so. I think there were lot of ideas about the DDoS, that's the only article suggesting a right solution (in my experience). I think they are still investigating. Italian FreeBSD User Group http://www.gufi.org/ ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: [request] ntp upgrade
On Wed, Nov 27, 2013 at 9:03 PM, Olivier Cochard-Labbé wrote: Hi Thanks for this URL, I've meet this problem on my FreeBSD 9.2 few > weeks ago (public NTP registered in the pool.ntp.org). > Same for me. > > There is a thread on the ntp.org ML about this too: > http://lists.ntp.org/pipermail/pool/2013-November/thread.html > > i tried those suggestion too (with "discard" parameter) but it didn't work. When I switched to ntp-devel everything went fine. Just: # service ntpd stop # cd /usr/ports/net/ntp-devel && make -DBATCH install # echo 'ntpd_program="/usr/local/sbin/ntpd"' >> /etc/rc.conf # service ntpd start it will use same /etc/ntp.conf conf file. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/ ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
