Patch Tuesday coming, NTP DDoS here, Ruby 1.9.3 going – Security Snippets


  • Next Tuesday, Patch Tuesday: A friendly reminder that next Tuesday sees 147 Oracle patches (Java (CVSS 10),VirtualBox (6.8), MySQL(10)), 5 Microsoft Bulletins and Adobe Reader and Acrobat priority 1 fixes all rolling out on the same day. The 2014 patch season is open for business.

  • NTP DDoS Mitigation: It seems DNS reflection attacks (getting DNS servers to send unsolicited data at an IP address) are out and the new reflection is NTP reflection. This abuses the Network Time Protocol’s monlist command which sends a list of the last 600 machines an NTP server has talked to to a particular address. Prod enough NTP servers sends that list to a victim and you have your DDoS attack. Cloudflare’s blog has a post on how to mitigate these attacks – It’s worth checking out as over Christmas it seems some big game sites got slapped with the NTP reflection hammer.

  • Ruby 1.9.3 gets a dead date: Pencil February 23 2015 in as the date Ruby 1.9.3 shufffles off its mortal coil. More imminently, February 23 2014 is when Ruby 1.9.3 goes into security fix only mode so get your Ruby 2.x migration plans in order now.