ntp server CVE-2013-5211
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
New
|
Undecided
|
Unassigned |
Bug Description
Fuel 7.0
Kilo on Ubuntu
Fuel deploys ntp server with exploit, our public network is internet routable and all nodes are connected to the public network.
One of our nodes was used in a large scale attack by generating UDP responses to spoofed "monlist"
requests that claimed to be from the attack target.
1. If you run ntpd, upgrading to the latest version, which removes the
> "monlist" command that is used for these attacks; alternately,
> disabling the monitoring function by adding "disable monitor" to your
> /etc/ntp.conf file.
> 2. Setting the NTP installation to act as a client only. With ntpd,
> that can be done with "restrict default ignore" in /etc/ntp.conf;
> other daemons should have a similar configuration option. More
> information on configuring different devices can be found here:
> https:/
> template.html.
> 3. Adjusting your firewall or NTP server configuration so that it only
> serves your users and does not respond to outside IP addresses.
>
> If you don't mean to run a public NTP server, we recommend #1 and #2.
> If you do mean to run a public NTP server, we recommend #1, and also
> that you rate-limit responses to individual source IP addresses --
> silently discarding those that exceed a low number, such as one
> request per IP address per second. Rate-limit functionality is built
> into many recently-released NTP daemons, including ntpd, but needs to
> be enabled; it would help with different types of attacks than this
> one.
>
> Fixing open NTP servers is important; with the 1000x+ amplification
> factor of NTP DRDoS attacks -- one 40-byte-long request can generate
> up to 46800 bytes worth of response traffic -- it only takes one
> machine on an unfiltered 100 Mbps link to create a 100+ Gbps attack!
>
> If you are an ISP, please also look at your network configuration and
> make sure that you do not allow spoofed traffic (that pretends to be
> from external IP addresses) to leave the network. Hosts that allow
> spoofed traffic make possible this type of attack.
>
> Further reading:
>
> https:/
> https:/
> http://
> launching-
> http://
> n=true
>
> You can find more vulnerable servers on a network through this site:
> http://
>
CVE References
information type: | Private Security → Public |
Fuel deploys this configuration:
# ntp.conf: Managed by puppet.
#
# Enable next tinker options:
# panic - keep ntpd from panicking in the event of a large clock skew
# when a VM guest is suspended and resumed;
# stepout - allow ntpd change offset faster
tinker panic 0 stepout 5
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict -4 kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
# Set up servers for ntpd with next options:
# server - IP address or DNS name of upstream NTP server
# iburst - allow send sync packages faster if upstream unavailable
# prefer - select preferrable server
# minpoll - set minimal update frequency
# maxpoll - set maximal update frequency
server 172.25.90.1 iburst minpoll 3
# Driftfile.
driftfile /var/lib/ntp/drift