Warn on noquery in ntp.conf
Bug #1263703 reported by
Jure Sah
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ntp (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
The "restrict" row comments of the default /etc/ntp.conf configuration file should more explicity warn(!) against the dropping on "noquery" or similar options, because their removal might cause the server to become vulenrable to (become a party in) DoS attacks.
Many admins have mistakenly removed the block, thinking they have either enabled the server to be queried from the subnet in question or made it more usable by doing so. This resulted in a number of reflection attacks via NTP we have been seeing in the past few days.
information type: | Private Security → Public |
Changed in ntp (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Low |
To post a comment you must log in.
I know it's a long time, but I'm cleaning up old NTP bugs atm.
While it is true that the comments could (have been) be more explicit the risk of being part of a DRDoS attach has been fixed upstream. See http:// support. ntp.org/ bin/view/ Support/ AccessRestricti ons#Section_ 6.5.1.1. 3.
Recent releases have these versions (or newer), therefore setting fix released.