NIST NTP servers

Chuck Church chuckchurch at gmail.com
Tue May 10 20:18:41 UTC 2016


-----Original Message-----
From: Gary E. Miller [mailto:gem at rellim.com] 
Sent: Tuesday, May 10, 2016 3:58 PM
To: Chuck Church <chuckchurch at gmail.com>
Cc: 'Majdi S. Abbas' <msa at latt.net>; nanog at nanog.org
Subject: Re: NIST NTP servers

Yo Chuck!

On Tue, 10 May 2016 10:29:35 -0400
"Chuck Church" <chuckchurch at gmail.com> wrote:

> Changing time on
> devices is more an annoyance than anything, and doesn't necessarily 
> get you into a device.

So, you are not worried about getting DoS'ed?

How about you set the time on your server ahead by 5 years.  Got any idea
what would happen?

Most of your passwords would expire.

All your SSL certs would expire.

All your TOTPs, like Google Authenticator would fail.

All your IPSEC tunnels would drop, and refuse to restart.

Many of your cron jobs would got nuts, possibly deleting all your logs.

Much of your DNSSEC would expire.

Many of your backups would be deleted since they 'expired'.

Until recently, setting your iPhone to 1 Jan 1970 would brick it.

I'm sure there are many more examples, but likely you can no longer log in,
via SSH or HTTPS, and your iPhone is dead.  I think any of those would
qualify as more than an annoyance.

RGDS
GARY
----------------------------------------------------------------------------
----------------------------------------------------------------

Ok, annoyance might have been a little light on the severity wording.
Still, modifying all your incoming NTP packets from all your sources to
actually get your NTP servers to agree on a bad time is tricky.  That is
assuming you've got multiple links, multiple sources from multiple
organizations (more than 4), they're all authenticated, etc.  Even if a
criminal was to do all that damage you listed, it still probably doesn't
result in obtaining sensitive data or money that would be the main
motivators for such extreme hacking.   If I had an iPhone, perhaps I'd worry
about that as well.  But fortunately, not an issue ;)

Chuck



More information about the NANOG mailing list