Skip navigation

drdos Amplification attacks

268 Views 1 Reply Latest reply: Feb 15, 2014 7:49 AM by MrHoffman RSS
Free Tibet Calculating status...
Currently Being Moderated
Feb 15, 2014 3:02 AM

are servers 10.6.8 to Mavericks vulnerable to this ?

  • MrHoffman Level 6 Level 6 (11,695 points)
    Currently Being Moderated
    Feb 15, 2014 7:49 AM (in response to Free Tibet)

    Potentially yes.

     

    In general, there should be no ports open through your network firewall and into your server(s), except those TCP and UDP ports that you require and are specifically using.   Whatever access and ports that can be protected by VPN or other techniques, should be closed and then accessed via VPN.  If this general configuration matches yours and if you're not allowing NTP, SNMP or DNS ingress, then you're not vulnerable to the current crop of distributed denial of service (DDoS) attacks.

     

    If there is remote access, then you can and probably should run the available tests for the NTP, DNS and SNMP distributed denial of service attacks that are presently underway, and see if your particular local configuration is vulnerable.  Either shut down the vulnerable service, patch the configuration file or related settings, upgrade it, or block inbound remote access into the port at the firewall.

     

    Depending on the specific local configuration, yes, OS X Server can be targeted with these and probably also with other DDoS attacks. 

     

    Misconfigured OS X Server systems can and have been targeted as SMTP spam relays, and various other attacks, as well.

     

    The default NTP version found in the OS X Server versions I've checked is the vulnerable version, but a quick check of the configuration here doesn't respond to the monlist command; local NTP would have to be customized to operate as a server.  If it has been, then it can be targeted.

     

    What follows is a vulerable and a not-vulnerable NTP server:

     

    $ ntpdc -n 192.168.24.10

    ntpdc> monlist

    remote address          port local address      count m ver rstr avgint  lstint

    =======================================

    192.168.24.4              58839 192.168.24.10      {"stuff"}

    ntpdc> exit

     

    $ ntpdc -n 192.168.24.11

    ntpdc> monlist

    192.168.24.11: timed out, nothing received

    ***Request timed out

    ntpdc>

     

    Default DNS can be targeted, particularly if remote access into the local DNS server is available and recursive queries are enabled.

     

    Default SNMP can be targeted, if remote access is available and if SNMP has been enabled.

     

    Firewalls are not a panacea here, however.  A firewall-protected vulnerable server can still end up participating in a distributed denial of service, if there's a compromised system located behind the firewall, or with access through the firewall.

     

    Some general information on SNMP with links to DNS info

    General information on NTP relection DDoS attacks.

    More information on SNMP reflection.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.