NTP vulnerability fix

[nanotek]

I'm just wondering what mitigation network administrators have implemented to prevent the ntpdc monlist query DRDoS attack [0]?

Is upgrading to NTP 4.2.7p26 or later the best solution? Disabling remote queries entirely, or simply disabling monitor queries [1]?

[0]
http://web.nvd.nist.gov/view/vuln/detai ... -2013-5211
http://support.ntp.org/bin/view/Main/Se ... tack_using

[1] /etc/ntp.conf mitigation:

# disable remote queries entirely
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1

# disable monitor queries
disable monitor

 

[chatwizrd]

Did you see http://www.freebsd.org/security/advisor ... 2.ntpd.asc

 

[nanotek]

No, I didn't. Thanks for sharing, @chatwizrd. So, freebsd-update patches this vulnerability?

 

[trh411]

No, I didn't. Thanks for sharing, @chatwizrd. So, freebsd-update patches this vulnerability?

Yes. Per the advisory that is one of the options.

 

[nanotek]

Thanks. Good to see FreeBSD on top of things like this; it sort of kills my interest in running OpenBSD.