Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Free Tibet
Free Tibet Author
User level: Level 1
21 points

drdos Amplification attacks

are servers 10.6.8 to Mavericks vulnerable to this ?

Posted on Feb 15, 2014 3:02 AM

Reply
1 reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
115,983 points

Feb 15, 2014 7:49 AM in response to Free Tibet

Potentially yes.


In general, there should be no ports open through your network firewall and into your server(s), except those TCP and UDP ports that you require and are specifically using. Whatever access and ports that can be protected by VPN or other techniques, should be closed and then accessed via VPN. If this general configuration matches yours and if you're not allowing NTP, SNMP or DNS ingress, then you're not vulnerable to the current crop of distributed denial of service (DDoS) attacks.


If there is remote access, then you can and probably should run the available tests for the NTP, DNS and SNMP distributed denial of service attacks that are presently underway, and see if your particular local configuration is vulnerable. Either shut down the vulnerable service, patch the configuration file or related settings, upgrade it, or block inbound remote access into the port at the firewall.


Depending on the specific local configuration, yes, OS X Server can be targeted with these and probably also with other DDoS attacks.


Misconfigured OS X Server systems can and have been targeted as SMTP spam relays, and various other attacks, as well.


The default NTP version found in the OS X Server versions I've checked is the vulnerable version, but a quick check of the configuration here doesn't respond to the monlist command; local NTP would have to be customized to operate as a server. If it has been, then it can be targeted.


What follows is a vulerable and a not-vulnerable NTP server:


$ ntpdc -n 192.168.24.10

ntpdc> monlist

remote address port local address count m ver rstr avgint lstint

=======================================

192.168.24.4 58839 192.168.24.10 {"stuff"}

ntpdc> exit


$ ntpdc -n 192.168.24.11

ntpdc> monlist

192.168.24.11: timed out, nothing received

***Request timed out

ntpdc>


Default DNS can be targeted, particularly if remote access into the local DNS server is available and recursive queries are enabled.


Default SNMP can be targeted, if remote access is available and if SNMP has been enabled.


Firewalls are not a panacea here, however. A firewall-protected vulnerable server can still end up participating in a distributed denial of service, if there's a compromised system located behind the firewall, or with access through the firewall.


Some general information on SNMP with links to DNS info.

General information on NTP relection DDoS attacks.

More information on SNMP reflection.

Reply

drdos Amplification attacks

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up