Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Jan 2016 16:47:07 +0100
From: enki <enki@...k.pl>
To:  <oss-security@...ts.openwall.com>
Cc:  <oss-security@...ts.openwall.com>,  <pool@...ts.ntp.org>, 
	 <linuxbrad@...il.com>,  <team@...urity.debian.org>, 
	"secalert" <secalert@...hat.com>
Subject: Re: shodan.io actively infiltrating ntp.org IPv6
 pools for scanning purposes

---- Wł. Pt, 29 sty 2016 15:21:01 +0100 Hazel  napisał(a) ---- 
>On 27 January 2016 at 14:43, Kurt Seifried <kseifried@...hat.com> wrote: 
>> On Wed, Jan 27, 2016 at 4:24 AM, Luca BRUNO <lucab@...ian.org> wrote: 
>> > For oss-sec crowd: is there anything we can do to improve the situation 
>> > and avoid 
>> > similar cases in the future? Should crowd-sourced and fundamental services 
>> > like this 
>> > be encouraged to move to a stronger WoT? 
>> 
>> [...] 
>> 
>> Sadly we can't really rely on the IoT device makers to fix this, they have 
>> basically 0 incentive to prevent scanners from hitting their products 
>> (they're already sold, to late for the customer to make an informed 
>> decision). 
> 
>I hope you'll forgive me making a modest proposal here, but it seems 
>to me that there might be an opportunity here for Linux distributions 
>that are upstream of IoT vendors to modify their default configuration 
>to address this. 
> 
>My somewhat off-the-cuff suggestion would be to... 
> 
>1. Add an *additional, secondary* IPv6 address to external interfaces that is: 
>-> a. generated in accordance with the IPv6 Privacy Extensions (i.e. RFC 4941) 
>-> b. firewalled by default against all traffic except NTP in either direction 
> 
>2. Configure the NTP *client* to use this secondary address as the 
>source for outgoing NTP traffic, instead of the default address? 
> 
>...thereby avoiding revealing the primary address of the host to 
>would-be scanners? 
> 

I'd go even further and use the IPv6 privacy-enhanced address for all outgoing connections, not only NTP. It's only a matter of time before someone sets up a debian mirror for example that logs source addresses and launches scans against them.

-- 
enki@...k.pl

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ