[pkg-ntp-maintainers] Bug#733940: Bug#733940: ntp missing security update, previously advised service configurations allow DDoS amplification attack prior to upstream 4.2.7p26

[Michael Evans]

I cannot comment about the current default configuration value, but at least
historically it is not clearly documented that the noquery attribute is
related to preventing NTP security issues, or even /why/ that is the Debian
default.  The previous upstream documentation (which someone would only
think to look at when initially configuring a server) lacked a warning about
the noquery attribute preventing NTP reflection attacks (it now includes it)
and currently advises either running very recent releases with that
parameter or not at all.

The quite patch supplied about 3 months ago, by description at least,
appears to be a backport of the security functionality of allowing the
'safer' query operations while disabling those which are used in NTP
reflection attacks.

Proper documentation for a config only solution to this might look something
like:

# http://support.ntp.org/bin/view/Support/AccessRestrictions  -  ALERT!
Users of NTP versions prior to 4.2.7p26 should either use noquery or disable
monitor to ensure their ntpd is not used in a DRDoS Amplification Attack
# Debian currently ships from the stable release tree (4.2.6) which is
vulnerable to NTP reflection attacks /unless/ noquery is set for public
facing responses.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery


The older, modified configuration file only referenced a local cache of and
the directly linked upstream page as documentation for these parameters,
which at least previously (at some point), did not advise setting noquery in
all circumstances.

-----Original Message-----
From: Kurt Roeckx [mailto:kurt at roeckx.be] 
Sent: Monday, May 19, 2014 2:13 PM
To: Michael Evans; 733940 at bugs.debian.org
Subject: Re: [pkg-ntp-maintainers] Bug#733940: ntp missing security update,
previously advised service configurations allow DDoS amplification attack
prior to upstream 4.2.7p26

On Mon, May 19, 2014 at 01:13:05PM -0700, Michael Evans wrote:
> 
> The default shipped configuration file /may/ be secure, but does not 
> adequately document /why/ it is secure.  Previous versions of the 
> AccessRestrictions documentation (prior to likely someone early this 
> year when the NTP reflection attacks became popular) appeared to 
> advise removing the noquery attribute

Please say where this appeared to have been adviced.  I can't remember this
ever being recommended, at least not in the documentation.  I think the
comment in the default config file we ship should also be more than clear
enough.  I think this is mostly a problem for people *not* reading
documentation or comments.


Kurt