[Info-vax] Warning: Your VMS system may be attacking other systems
David Froble
davef at tsoft-inc.com
Sat Feb 1 14:10:47 EST 2014
Michael Moroney wrote:
> Stephen Hoffman <seaohveh at hoffmanlabs.invalid> writes:
>
>> Here'™s a write-up on and a workaround for the NTP DDoS, pending an
>> upgrade to a newer version of NTP:
>
>> https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
>
>> This is the US CERT alert:
>
>> https://www.us-cert.gov/ncas/alerts/TA14-013A
>
>> I'd expect the workaround applies to OpenVMS, as well.
>
> Thanks, Hoff.
>
> To see if your system has been abused, do the following:
>
> $ ntpdc :== $tcpip$ntpdc
> $ ntpdc
> monlist
>
> You should only see the peers you use listed. If you see a list of
> 600 random systems, you're being abused.
>
>
>
> For simplicity, here's how to avoid VMS from being abused by this:
>
> Edit the file SYS$SYSROOT:[TCPIP$NTP]TCPIP$NTP.CONF and add the following
> lines at the end:
>
>
> # NTP Reflection DDOS attack
>
> restrict default kod nomodify notrap nopeer noquery
> restrict 127.0.0.1
>
> The first restrict disables abusable things, the second allows you to do
> those things locally.
>
> Stop and restart NTP.
Ok, checked, and don't seem to have the problem. Didn't think i'd have
the problem, cause my internet conncetion is through Verizon Wireless
Broadband. Not only do I have a NAT router, but, it seems that Verizon
does something similar, such that my external IP address is not
reachable from the internet since there is another scheme similar to NAT
that Verizon is using.
However, on both a VAX and an Alpha, I'm seeing about 1 I/O per second
on the NTP_1 process. Anybody know what NTP is doing to generate I/Os
so often? I figured there would be 1 or a couple I/Os each time it went
to check with a peer, which is not that often.
More information about the Info-vax
mailing list