[ntp:questions] Mitigating the ::1 spoof vulnerability

Harlan Stenn stenn at ntp.org
Fri Feb 6 22:44:02 UTC 2015


Marco Marongiu writes:
> Hi there
> 
> I'm referring to this one in particular: "::1 can be spoofed on some
> OSes, so ACLs based on IPv6 ::1 addresses can be bypassed".
> 
> Debian Squeeze doesn't have a patched package available in the
> squeeze-lts series yet. On those clients would a restriction like
> 
> restrict ::1 ignore
> 
> mitigate the vulnerability?

I think so, but it will also make it much harder to use ntpq and other
things.  It also won't do anything to protect other services that might
use source ACLs for protection

Better to:

- fix your firewall rules to block ::1 incoming packets on external
  interfaces

- just build 4.2.8p1 and install it

H


More information about the questions mailing list