NTP Sync Issue Across Tata (Europe)

Thu Aug 10 00:19:19 UTC 2023

Let me address your points:

First, the spoofing does mess with the timing stream.  To not mess with the
timing stream, the entity doing the spoofing would have to have
high-quality NTP-synchronized clocks and somehow generate the GPS I-Q data
such that it was perfectly synchronized with real-time.   Quite frankly,
doing this is orders of magnitude harder than spoofing time and position,
especially when operating in a clandestine manner.   Note that position is
derived from time, not the other way around.

As far as the relationship to your antenna goes:   while it is true that a
high-quality GNSS antenna with a pattern pointing up will reduce the
likelihood of ground-based interference messing with your signal, the
rejection rarely exceeds 10dB.  This means that any signal 10dB louder than
the GPS signals will override your GPS signals.  This level of signal is
trivial to produce.

Let's assume you have a typical GPS-derived NTP server using a typical
commercially available timing GNSS module.  To convince that receiver that
it was a different time, I'd need to have an SDR that would operate in the
GPS band.  These are widely available for under $500.  You'd also need a
laptop and a download of a GPS simulator from GitLab.   With a total
investment of $500 (assuming I already have a laptop), I now have a system
that can generate a GPS signal to convince your GPS receiver that it's any
time at all.  If you're a tech neophyte, there are youtube videos on how to
do this.

All I need to do now is add appropriate antennas and/or amplifiers to
overcome the official GNSS signals.   As you pointed out, depending on the
location and directivity of your antenna, this is either trivial or becomes
slightly more difficult.   If I can see your antenna, it becomes a lot
cheaper as I just need a relatively low-powered amplifier and a highly
directional antenna.   If I can't see your antenna, I would opt for a
higher-power amplifier and a less directional transmit antenna to blanket a
wide area with the spoofed signal.

The paragraph above assumes I'm trying to convince your NTP server it's a
different time.   If I just want to deny you time, it gets cheaper and
easier.   All I need is a 1.2 GHz oscillator coupled to an antenna.  There
are units like this available for under $10, delivered.  These block GPS
trackers on trucks and/or private automobiles.   Build your own and you can
get a watt or two to shove into a tiny antenna for not a lot more.
Guaranteed to Jam anything within a couple of blocks.

I wish I could say this is uncommon to happen, but I have seen it time and
time again with customers (I design and sell GNSS Receivers used for
precision timing on various WISP access points).   It doesn't necessarily
need to be intentional - it's not uncommon for a radio transmitter to fail
so that it puts a spur out on 1.2 GHz and/or other GNSS bands.    Two
particular recent events happened in January and October of last year.  In
the first, a transmitter started emitting noise on the L1 band near DIA
airport, wiping out GPS on the ground for a 50-mile radius and 230 miles in
the air.   It took 33 hours to find and resolve this particular issue.  See
https://www.cisa.gov/sites/default/files/publications/CISA-Insights_GPS-Interference_508.pdf
.   In the second, similar event, around DFW, an as-yet unidentified noise
source took out GPS for 24 hours - although it took another 20 hours for
everything to recover.

There was a recent event at a site in California that I was peripherally
involved with (as the vendor of an affected GPS device) where a
commercially available microwave point-to-point link started emitting
signals in the GPS band and took out GPS for an extended period at the
site.  In that case, every single GPS receiver at the site could not
receive GPS signals until the errant radio was determined and shut down.
 It took a while as it required a lot of "turn off equipment one by one
until the signal goes away" troubleshooting.

I agree that GPS timing vendors are continuously striving to improve the
reliability and interference robustness of their GPS systems.   There are
definitely really cool solutions on the market today, for example Microchip
Technologies's bluesky GPS firewall which develops it's own internal clock,
and then uses that to deliver precision time downstream by transmitting an
internally-developed GPS signal (just like a spoofer would).   But most
people who develop their GPS time don't select vendors with this level of
robustness.  Instead they almost always use a commerical off the shelf GPS
module which lack many of the features you describe.

A good reference on how to harden GPS systems is at
https://www.cisa.gov/sites/default/files/2023-02/Improving_the_Operation_and_Development_of_Global_Positioning_System_%28GPS%29_Equipment_Used_by_Critical_Infrastructure_S508C.pdf
.

On Wed, Aug 9, 2023, 12:52 PM Mel Beckman <mel at beckman.org> wrote:

> While GPS spoofing is technically possible, all the extant spoofing only
> tampers with the ephemeris (satellite position) data, not the timing
> stream. That's because hackers have been aiming at navigation, and may not
> have expressed interest in GPS tampering when NTP tampering is so easy 🙂
>
> To spoof GPS clocks, a hacker has to know where the antennas are, and get
> above them in order to inject a signal with the right directionality.
> Commercial GPS clock vendors have implemented various anti-spoofing
> measures that, for example, only accept signals from a certain cone of
> visibility, which faces up. They have other measures too, some of which
> exploit geographic diversity, so if  you can have two or more GPS clocks in
> different hub sites, the clocks will reject spoofing signals.
>
> This seems like a much easier defense than deploying secure NTP (NTS),
> which adds a huge amount of complexity. At least one researcher has shown
> that poluting the existing public NTP pool with enough bogus servers to
> seriously impact network time is trivial (I cited their paper in an earlier
> post on this thread).  A well funded state actor could be laying the
> framework for such an attack as we speak, lying in wait until an
> opportunity to disrupt Internet NTP globally.
>
>    -mel
> ------------------------------
> *From:* NANOG <nanog-bounces+mel=beckman.org at nanog.org> on behalf of Jay
> Hennigan <jay at west.net>
> *Sent:* Wednesday, August 9, 2023 10:58 AM
> *To:* nanog at nanog.org <nanog at nanog.org>
> *Subject:* Re: NTP Sync Issue Across Tata (Europe)
>
> On 8/9/23 09:29, Seth Mattinen via NANOG wrote:
>
> > I liked having a WWVB receiver in my mix, but all the hardware
> > appliances (at least those offering OCXO or Rubidium oscillator options)
> > seem to have rejected it in favor of GPS only. I can only conclude that
> > either vendors think options like WWVB are a dead end or there's no
> > demand for GPS alternatives.
>
> Both GPS and WWVB are over-the-air. There has been concern expressed of
> a bad actor spoofing or jamming GPS. Comparatively speaking, jamming or
> spoofing WWVB is a trivial joke.
>
> --
> Jay Hennigan - jay at west.net
> Network Engineering - CCIE #7880
> 503 897-8550 - WB6RDV
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230809/7774cdbb/attachment.html>