[Info-vax] Warning: Your VMS system may be attacking other systems
Michael Moroney
moroney at world.std.spaamtrap.com
Sat Feb 1 13:14:30 EST 2014
Stephen Hoffman <seaohveh at hoffmanlabs.invalid> writes:
>Here'™s a write-up on and a workaround for the NTP DDoS, pending an
>upgrade to a newer version of NTP:
>https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
>This is the US CERT alert:
>https://www.us-cert.gov/ncas/alerts/TA14-013A
>I'd expect the workaround applies to OpenVMS, as well.
Thanks, Hoff.
To see if your system has been abused, do the following:
$ ntpdc :== $tcpip$ntpdc
$ ntpdc
monlist
You should only see the peers you use listed. If you see a list of
600 random systems, you're being abused.
For simplicity, here's how to avoid VMS from being abused by this:
Edit the file SYS$SYSROOT:[TCPIP$NTP]TCPIP$NTP.CONF and add the following
lines at the end:
# NTP Reflection DDOS attack
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
The first restrict disables abusable things, the second allows you to do
those things locally.
Stop and restart NTP.
More information about the Info-vax
mailing list