NTP Sync Issue Across Tata (Europe)

• Previous message (by thread): NTP Sync Issue Across Tata (Europe)
• Next message (by thread): NTP Sync Issue Across Tata (Europe)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

William,

Due to flaws in the NTP protocol, a simple UDP filter is not enough. These flaws make it trivial to spoof NTP packets, and many firewalls have no specific protection against this. in one attack the malefactor simply fires a continuous stream of NTP packets with invalid time at your firewall. When your NTP client queries the spoofed server, the malicious packet is the one you likely receive.

That’s just one attack vector. There are several others, and all have complex remediation. Why should people bother being exposed to the risk at all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve already described. Having suffered through such attacks more than once, I can say from personal experience that you don’t want to risk it.

 -mel 

> On Aug 6, 2023, at 10:53 AM, William Herrin <bill at herrin.us> wrote:
> 
> On Sat, Aug 5, 2023 at 7:24 PM Mel Beckman <mel at beckman.org> wrote:
>> That still leaves you open to NTP attacks. The USNO accuracy and monitoring is worthless if you suffer, for example, an NTP DDoS attack.
> 
> Hi Mel,
> 
> From what I can tell, a fairly simple firewall policy of allow UDP 123
> from known NTP clients and established connections (I sent them a UDP
> packet recently) stops every one of those attacks (that's actually an
> NTP attack and not something else like a DNS attack) except for
> upstream address hijack that happens to coincide with your system
> boot. And it still depends on the attacker executing an additional
> sophisticated attack to do more than cause you a denial of service.
> 
> The links you sent are very interesting, at least in an academic
> sense, but they don't cause me to be unduly concerned about employing
> NTP.
> 
> 
>> if you can eliminate such security problems for $400, I say it’s cheap at twice the price.
> 
> Except you can't. Redundancy is required for any critical service. At
> the $400 price point, your approach has multiple
> single-points-of-failure. The device itself of course. Your ability to
> receive continuous non-jammed GPS signals at the location where you're
> able to place an antenna. And in your plan you'll need one of these in
> every discontiguous network where you have equipment since you're not
> doing NTP over the Internet.
> 
> Not to mention the operations cost. Keeping track of a six inch brick
> with a wall wart and an antenna installed at a remote site is... not
> entirely abnormal but it's a one-off that consumes manpower.
> 
> And then you're only vulnerable to the litany of Internet attacks
> which don't involve NTP. Yay!
> 
> Don't get me wrong: the Time Machines TM1000A you recommended looks
> like a cool little device well worth checking into. As a supplement to
> Internet NTP, not a replacement.
> 
> Regards,
> Bill Herrin
> 
> 
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/

• Previous message (by thread): NTP Sync Issue Across Tata (Europe)
• Next message (by thread): NTP Sync Issue Across Tata (Europe)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]