NTP Sync Issue Across Tata (Europe)

• Previous message (by thread): NTP Sync Issue Across Tata (Europe)
• Next message (by thread): NTP Sync Issue Across Tata (Europe)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering
a reasonable mitigation for this, as designed?

Royce

On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman <mel at beckman.org> wrote:

> William,
>
> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These
> flaws make it trivial to spoof NTP packets, and many firewalls have no
> specific protection against this. in one attack the malefactor simply fires
> a continuous stream of NTP packets with invalid time at your firewall. When
> your NTP client queries the spoofed server, the malicious packet is the one
> you likely receive.
>
> That’s just one attack vector. There are several others, and all have
> complex remediation. Why should people bother being exposed to the risk at
> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve
> already described. Having suffered through such attacks more than once, I
> can say from personal experience that you don’t want to risk it.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230806/04e8e2a2/attachment.html>

• Previous message (by thread): NTP Sync Issue Across Tata (Europe)
• Next message (by thread): NTP Sync Issue Across Tata (Europe)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]