[Admins] Blocked ports UDP/123, UDP/623

Jogi Hofmüller jogi at mur.at
Mi Nov 25 10:31:41 CET 2015 

Dear all,

Am 2015-11-24 um 14:52 schrieb IOhannes m zmölnig - mur.at:

> yep. my question was about the latter ("attacked *from* mur.at")

Same answer.  So far there were no attacks _from_ one of our IPs that we
are aware of.

> oh ja. but I did not read those emails so i don't know what they say 
> *exactly*.

The _exactly_ inform us about IPs with running vulnerable instances of
NTP servers.

An excerpt from one of these emails:

<snip>
we were informed that the attached IP Addresses from your network are
probably running misconfigured NTP Servers which might be disclosing
sensitive data and which can be abused for DDoS attacks via NTP Reflec-
tion. For reference see

https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version or
https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

We would like to ask you to act according to your policies and, if
necessary, take appropriate counter measures.
</snip>

> this sounds like really strange reasoning. (we could block TCP/22, 
> TCP/80 and TCP/443 with the very same argument).

Some do, we don't.  Also there is a significant difference when
comparing the attack vectors.  To my knowledge there is no known ssh (or
http) amplification attack.  So running an ssh server only exposes your
own server (with the possibility that your server will then try to crack
others) whereas running a vulnerable ntp server puts the entire net at
risk since it is an amplification attack.

> anyhow, i see that more and more aconet members block outgoing NTP 
> and I would like to really understand the reasoning behind that 
> (which I still do not, since a "CERT mentioning open ports on 
> vulnerable machines" is not good enough for me.

It's all because of the potential that one ntp server (if being
attacked) can take down an entire network.  Some people speak of
amplification factors >200 and the potential of generating >80mbps of
DDoS traffic for one ntp server.

But I fear this will also not suffice to end this discussion.  Still I
ask for people who insist on keeping Debian's default setting in the
ntp.conf and do not trust the service we provide on time.mur.at to
submit the IP(s) that should be whitelisted (IPv6 also please).

We also could except the range of IPs in our data center from filtering
ntp in general;  but that would leave out all those running servers on
different subnets.

Am 2015-11-24 um 14:52 schrieb Christian Pointner:

> I'm also not a big fan of generally blocking NTP. How about 
> blacklists and not whitelists? If it is really just some stubborn 
> admins just blocking them might do it?

I see your point.  The thing is that a blacklist is always one step
behind.  So a newly introduced ntp server is a risk until it get's
discovered and blacklisted.

Cheers,
-- 
j.hofmüller

We are all idiots with deadlines.                       - Mike West

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mur.at/pipermail/admins/attachments/20151125/41b85c85/attachment.sig>

Mehr Informationen über die Mailingliste Admins