Fwd: NTP Sync Issue Across Tata (Europe)

• Previous message (by thread): SMS Email Gateway - sms.myboostmobile.com discontinued
• Next message (by thread): Changes to ARIN Online - Routing Security Dashboard - RPKI & IRR integration (was: Fwd: [arin-announce] New Features Added to ARIN Online)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Or one can read recent research papers that thoroughly document the incredible fragility of the existing NTP hierarchy and soberly consider their recommendations for remediation:

https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1A-2_24302_paper.pdf

Or simply use non-Internet NTP servers based on a Stratum-0 GPS source for mission-critical network timing.

Until then, we may all wake up one morning and discover massive data breaches traced to an unfounded reliance on insecure public NTP servers. Then the game truly will be over, but not in our favor.

 -mel

On Aug 6, 2023, at 2:35 PM, Rubens Kuhl <rubensk at gmail.com> wrote:

Or one can select NTS-capable NTP servers, like those 5:
a.st1.ntp.br
b.st1.ntp.br
c.st1.ntp.br
d.st1.ntp.br
gps.ntp.br

Or any other NTP server that has NTS deployed. Game-over for NTP impersonation.


Rubens

On Sun, Aug 6, 2023 at 4:41 PM Mel Beckman <mel at beckman.org> wrote:

In a nutshell, no. Refer to my prior cites for detailed explanations. For a list of real-world attack incidents, see

https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#


-mel

On Aug 6, 2023, at 12:03 PM, Royce Williams <royce at techsolvency.com> wrote:


Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering a reasonable mitigation for this, as designed?

Royce

On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman <mel at beckman.org> wrote:

William,

Due to flaws in the NTP protocol, a simple UDP filter is not enough. These flaws make it trivial to spoof NTP packets, and many firewalls have no specific protection against this. in one attack the malefactor simply fires a continuous stream of NTP packets with invalid time at your firewall. When your NTP client queries the spoofed server, the malicious packet is the one you likely receive.

That’s just one attack vector. There are several others, and all have complex remediation. Why should people bother being exposed to the risk at all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve already described. Having suffered through such attacks more than once, I can say from personal experience that you don’t want to risk it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230807/53446e36/attachment.html>

• Previous message (by thread): SMS Email Gateway - sms.myboostmobile.com discontinued
• Next message (by thread): Changes to ARIN Online - Routing Security Dashboard - RPKI & IRR integration (was: Fwd: [arin-announce] New Features Added to ARIN Online)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]