Re: [Nix-dev] ntp monlist ddos vulnerability
Excerpts from Mathijs Kwik's message of Mon Feb 24 16:27:58 + 2014: Our ntpd version (stable, 2011) contains a feature called 'monlist', which is enabled by default. This feature has recently been abused by huge ntp-amplification ddos attacks. I'd say its a strong reason - so at least make it opt-in and document it (or do what you proposed) Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] ntp monlist ddos vulnerability
After some more investigation, I think we should just add disable monitor to nixos' ntpd.conf. It seems the monitoring functionality is not needed for normal operation so it was a mistake (upstream) to enable it by default. However, it is not a security vulnerability for the system itself, so no patch/fix is done for stable. Development releases seem to happen way too often, so tracking those is not a good solution. Since we already suffer from option-bloat, I suggest we add the line unconditionally, unless someone actually uses this feature. In that case I'm happy to create an option with a big fat warning description. Please let me know. On Mon, Feb 24, 2014 at 5:27 PM, Mathijs Kwik math...@bluescreen303.nl wrote: Hi all, Our ntpd version (stable, 2011) contains a feature called 'monlist', which is enabled by default. This feature has recently been abused by huge ntp-amplification ddos attacks. However, the vulnerability has only been fixed in the development version and security firms recommend upgrading to that (at least v4.2.7p26, 03/2010 release, so not really bleeding edge). Another option is to disable the problematic 'monlist' service in our current version by adding a line to the config file disable monitor. However, the replacement 'mrulist' functionality is only available in the development release, so just disabling monlist probably cripples operations (I'm not very familiar with ntp). Given the fact that the stable release hasn't been updated with a fix, I would suggest we start following development releases for ntp, because there are probably other issues lurking in stable. Does anyone object to that? Or does anyone propose a different solution? http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks Regards, Mathijs ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] ntp monlist ddos vulnerability
On 24/02/14 17:27, Mathijs Kwik wrote: Our ntpd version (stable, 2011) contains a feature called 'monlist', which is enabled by default. This feature has recently been abused by huge ntp-amplification ddos attacks. AFAIK, this commit works around the problem: https://github.com/NixOS/nixpkgs/commit/9e7fe29e416736bf2be5aeaf7adbad05d4e175cf -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] ntp monlist ddos vulnerability
Eelco Dolstra eelco.dols...@logicblox.com writes: On 24/02/14 17:27, Mathijs Kwik wrote: Our ntpd version (stable, 2011) contains a feature called 'monlist', which is enabled by default. This feature has recently been abused by huge ntp-amplification ddos attacks. AFAIK, this commit works around the problem: https://github.com/NixOS/nixpkgs/commit/9e7fe29e416736bf2be5aeaf7adbad05d4e175cf I think it needs 1 more line: disable monitor My hosting provider sent me this: (in dutch) https://www.transip.nl/vragen/583-bescherm-mijn-server-tegen-misbruik Do you think we should add that too? ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] ntp monlist ddos vulnerability
sorry for the noise, we are fine. The link in your commit explains it. noquery does the trick indeed. On Mon, Feb 24, 2014 at 7:22 PM, Mathijs Kwik math...@bluescreen303.nl wrote: Eelco Dolstra eelco.dols...@logicblox.com writes: On 24/02/14 17:27, Mathijs Kwik wrote: Our ntpd version (stable, 2011) contains a feature called 'monlist', which is enabled by default. This feature has recently been abused by huge ntp-amplification ddos attacks. AFAIK, this commit works around the problem: https://github.com/NixOS/nixpkgs/commit/9e7fe29e416736bf2be5aeaf7adbad05d4e175cf I think it needs 1 more line: disable monitor My hosting provider sent me this: (in dutch) https://www.transip.nl/vragen/583-bescherm-mijn-server-tegen-misbruik Do you think we should add that too? ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev