NTP Sync Issue Across Tata (Europe)

Sun Aug 6 17:52:44 UTC 2023

On Sat, Aug 5, 2023 at 7:24 PM Mel Beckman <mel at beckman.org> wrote:
> That still leaves you open to NTP attacks. The USNO accuracy and monitoring is worthless if you suffer, for example, an NTP DDoS attack.

Hi Mel,

>From what I can tell, a fairly simple firewall policy of allow UDP 123
from known NTP clients and established connections (I sent them a UDP
packet recently) stops every one of those attacks (that's actually an
NTP attack and not something else like a DNS attack) except for
upstream address hijack that happens to coincide with your system
boot. And it still depends on the attacker executing an additional
sophisticated attack to do more than cause you a denial of service.

The links you sent are very interesting, at least in an academic
sense, but they don't cause me to be unduly concerned about employing
NTP.

> if you can eliminate such security problems for $400, I say it’s cheap at twice the price.

Except you can't. Redundancy is required for any critical service. At
the $400 price point, your approach has multiple
single-points-of-failure. The device itself of course. Your ability to
receive continuous non-jammed GPS signals at the location where you're
able to place an antenna. And in your plan you'll need one of these in
every discontiguous network where you have equipment since you're not
doing NTP over the Internet.

Not to mention the operations cost. Keeping track of a six inch brick
with a wall wart and an antenna installed at a remote site is... not
entirely abnormal but it's a one-off that consumes manpower.

And then you're only vulnerable to the litany of Internet attacks
which don't involve NTP. Yay!

Don't get me wrong: the Time Machines TM1000A you recommended looks
like a cool little device well worth checking into. As a supplement to
Internet NTP, not a replacement.

Regards,
Bill Herrin

--
William Herrin
bill at herrin.us
https://bill.herrin.us/