[ntp:security] CVE-2013-5211 and publicising the need for 'noquery'

Steve Kostecke kostecke at ntp.org
Thu Jan 9 14:48:58 UTC 2014


I have not posted information about making NTP resistance to NTP
Spoofing (aka "amplification attacks") yet. Here's why:

During an older IRC discussion about solutions to the current UDP spoofing
issue I made a comment about the need to release an announcement. Harlan
susequently made the statement in reply that a CERT announcement was in
the works. So I've been waiting for that announcement.

But this morning sarcastic comment was made in #ntp about the fact the
there is no UDP spoofing mitigation information at www.ntp.org. And the
reply to this was "nobody new has volunteered to write that up yet, no
existing volunteers have had the time to do it yet, and NTF doesn't have
anywhere near enough budget to pay somebody to work on it."

I'm not sure where we benefit by impuning each other in public fora. But
that's not the point here.

If there is a consensus that it is OK to post UDP spoofing mitigation
information prior to the release of the CERT announcement I'll do so.

-- 
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project http://support.ntp.org/
Public Key at http://support.ntp.org/Users/SteveKostecke


More information about the security mailing list