Hello VyOS Commnity!
We setting up a new router I noticed that set service ntp allow-client address 0.0.0.0/0 comes as default, allowing anyone to send NTP requests do VyOS.
Wouldn’t that allow a VyOS router to be used by NTP reflection DDoS attacks?
Yes, best to remove or limit there and via firewall rules.
May be something to remove as a default configuration though out of the box, eg secure by default.
I don’t see why that should be a default anyway.
VyOS is a router, and all of it’s services should not respond to 0.0.0.0/0, but just to their direct clients.
Any admin that has the knowledge to setup a router from scratch should also be able to configure the NTP server to allow NTP requests from it’s client’s prefixes.
Reason is NTP was always enabled in the past and as time evolved we added more and more NTP knows and added allow-clients. Then we moved to chrony and also needed to CLI to be migrated.
The VyOS default configuration used during install does not carry any version information, so it traverses all migration scripts on first boot which results in the added 0.0.0.0/0 allow range retain previous behavior. You are free to replace the default configuration with your own or as stated above open up a feature request to possibly drop NTP from the default configuration at all.
With that being said I would prefer VyOS to have safe defaults compared to lets say Cisco who have all sort of backdoors enabled by default.
That is I would prefer default off or default hardened so you must make config changes to open it up rather than as it is today with default on and you must make config changes to lock it down.
Using NTP in reflectionattacks is a thing and we should all make life easier of others and not harder.
In this particular case incase of defaulting to 0.0.0.0/0 due to some migrationthingy the migration (and default if not set) should be typed as 127.0.0.1/32 or similar so the admin must make a change to whatever networks are being used.
Normally, firewall rules are in place, not exposing ntp (and other services) to the internet
There are no firewall rules on clean installs.
That and the default NTP settings are enabling bad actors to use VyOS routers (which are usually very well connected and publicly accessible on the internet) as a large botnet to do DDoS reflection attack.
With a quick Shodam search we are able to find ~3000 VyOS installs publicly reachable over the internet. Considering a 1:100 reflection rate for NTP someone is able to craft a insanely large DDoS attack using only this default settings on VyOS.
I must remember: this is not only a case of an unsafe configuration, but a default setting that some admins will overlook.
Normally a router rarely have firewall rules configured.
And firewall rules shouldnt be needed - the default should be secure.
Having “ntp clients” default to 0.0.0.0/0 is just bad.
We disabled it by default several times before.
But then users says “hey nothing working, you have a bug bla bla bla”
So it was returned again.
As to me it is better to open by default vs getting unworking VPN
If you anywhere must configure it, if it is disabled by default, why not configure proper firewall?
The thing is chrony allows to have only one IPv4 listen to address. If you have only one network it will work for you. If you have several - you have to use 0.0.0.0
Since open relays of NTP servers are being used in reflection DDoS-attacks I think its a very bad idea to have it open by default specially for 0.0.0.0/0 as “ntp clients”.
Users who dont read even the simpliest manuals will always exist and we shouldnt adopt to the worst kind of users IMHO.
Another workaround is to have a default firewall rule that will limit who will be able to query the NTP-server or VyOS in case its “impossible” to get rid of the 0.0.0.0/0 ntp clients setting.
Because it’s unsafe by default as it is. The fact is that most people will not review the default configuration and apply the correct firewall rules.
LAN and WAN concept on routers is not always well defined, and it can be impossible to find a default firewall rule that can filter non-local access.
If it’s not really possible to disable NTP as default we should at least configure it as:
set service ntp allow-client address 127.0.0.0/8
set service ntp allow-client address 10.0.0.0/8
set service ntp allow-client address 172.16.0.0/12
set service ntp allow-client address 192.168.0.0/16
set service ntp allow-client address 169.254.0.0/16
I still defend that it’s a router after all, and it should be disabled by default.
Not even SSH is enabled by default, so why should we enable NTP for the whole internet to use?
Feel free to create a PR
@Viacheslav @aldemaro
Opened a task on everybody’s behalf and did some digging in the source tree. Happy to submit a PR just need confirmation if the default is configured from elsewhere vs what I found 