NIST NTP servers
mel at beckman.org
Tue May 10 20:23:04 UTC 2016
Accurate time to the millisecond is pretty much essential for any network troubleshooting. Say you want to diagnose a SIP problem. You collect transaction logs from both phones, the VoIP gateway, and the PBX. Now you try to merge them to derive the sequence of events. You NEED millisecond accuracy.
But more importantly, Gary is right about the risks. I’ve had several customers receive major NTP DoS attacks using forged source addresses. In today’s Internet, there is very little source address verification (despite several mechanisms being proposed). Everyone relies on the originating network preventing spoofing, but thousands of ISPs — particularly overseas — do not do spoof checks.
And the issues of NTP pollution are even more dangerous. As Gary notes, changing dates is a risk. A big enough change (say 30 days) would be catastrophic to most accounting systems. A big leap — a year or more — could expire software license and disable all kinds of encryption. We haven’t even discussed multi-stage attacks, where NTP is used to disrupt systems at multiple points, and then the attacker storms in and takes over unnoticed during the confusion.
All because of misplaced trust in a tiny UDP packet that can worm its way into your network from anywhere on the Internet.
I say you’re crazy if you don’t run a GPS-based NTP server, especially given that they cost as little as $300 for very solid gear. Heck, get two or three!
> On May 10, 2016, at 12:58 PM, Gary E. Miller <gem at rellim.com> wrote:
> Yo Chuck!
> On Tue, 10 May 2016 10:29:35 -0400
> "Chuck Church" <chuckchurch at gmail.com> wrote:
>> Changing time on
>> devices is more an annoyance than anything, and doesn't necessarily
>> get you into a device.
> So, you are not worried about getting DoS'ed?
> How about you set the time on your server ahead by 5 years. Got any
> idea what would happen?
> Most of your passwords would expire.
> All your SSL certs would expire.
> All your TOTPs, like Google Authenticator would fail.
> All your IPSEC tunnels would drop, and refuse to restart.
> Many of your cron jobs would got nuts, possibly deleting all your logs.
> Much of your DNSSEC would expire.
> Many of your backups would be deleted since they 'expired'.
> Until recently, setting your iPhone to 1 Jan 1970 would brick it.
> I'm sure there are many more examples, but likely you can no longer log
> in, via SSH or HTTPS, and your iPhone is dead. I think any of those
> would qualify as more than an annoyance.
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
> gem at rellim.com Tel:+1 541 382 8588
More information about the NANOG