[Nix-dev] ntp monlist ddos vulnerability

Mathijs Kwik mathijs at bluescreen303.nl
Mon Feb 24 17:46:58 CET 2014


After some more investigation, I think we should just add "disable
monitor" to nixos' ntpd.conf.
It seems the monitoring functionality is not needed for normal
operation so it was a mistake (upstream) to enable it by default.
However, it is not a security vulnerability for the system itself, so
no patch/fix is done for stable.

Development releases seem to happen way too often, so tracking those
is not a good solution.

Since we already suffer from option-bloat, I suggest we add the line
unconditionally, unless someone actually uses this feature. In that
case I'm happy to create an option with a big fat warning description.

Please let me know.




On Mon, Feb 24, 2014 at 5:27 PM, Mathijs Kwik <mathijs at bluescreen303.nl> wrote:
> Hi all,
>
> Our ntpd version (stable, 2011) contains a feature called 'monlist',
> which is enabled by default. This feature has recently been abused by
> huge ntp-amplification ddos attacks.
>
> However, the vulnerability has only been fixed in the development
> version and security firms recommend upgrading to that (at least
> v4.2.7p26, 03/2010 release, so not really bleeding edge).
>
> Another option is to disable the problematic 'monlist' service in our
> current version by adding a line to the config file "disable
> monitor". However, the replacement 'mrulist' functionality is only
> available in the development release, so just disabling monlist probably
> cripples operations (I'm not very familiar with ntp).
>
> Given the fact that the stable release hasn't been updated with a fix, I
> would suggest we start following development releases for ntp, because
> there are probably other issues lurking in stable.
> Does anyone object to that? Or does anyone propose a different solution?
>
> http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
>
> Regards,
> Mathijs


More information about the nix-dev mailing list