NTP Sync Issue Across Tata (Europe)
Mel Beckman
mel at beckman.org
Sun Aug 6 02:24:13 UTC 2023
Bill,
That still leaves you open to NTP attacks. The USNO accuracy and monitoring is worthless if you suffer, for example, an NTP DDoS attack.
<https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/>
[ddos-lc.png]
NTP amplification DDoS attack<https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/>
cloudflare.com<https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/>
There are also replay and Man in the middle attacks (MITM) which can corrupt local NTP servers’ time basis. Worse, security flaws in NTP make others security protocols, such as SSL, vulnerable.
https://www.sidn.nl/en/news-and-blogs/security-flaws-in-network-time-protocol-make-other-security-protocols-vulnerable
if you can eliminate such security problems for $400, I say it’s cheap at twice the price.
-mel
On Aug 5, 2023, at 6:18 PM, William Herrin <bill at herrin.us> wrote:
On Sat, Aug 5, 2023 at 12:26 PM Mel Beckman <mel at beckman.org> wrote:
You might consider setting up your own GPS-based NTP network.
GPS time is monitored (and when necessary, adjusted) from the U.S.
Naval Observatory Master Clock, which is -the- authoritative time
source for the United States. The USNO also provides an NTP time
source from the same master clock:
https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/
You -should not- just point your servers there, but it's useful to
point a few servers each at one of them in order to serve as your
network stratum 2 sources that keep the rest of your machines in sync
with each other.
That last point is key. You don't want your servers in sync with
random Internet time sources. You want them in sync with each other.
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230806/1b5bcd4e/attachment.html>
More information about the NANOG
mailing list