NIST NTP servers

Chuck Church chuckchurch at gmail.com
Wed May 11 15:18:29 UTC 2016


-----Original Message-----
>From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Leo Bicknell
>Sent: Wednesday, May 11, 2016 9:31 AM
>To: nanog at nanog.org
>Subject: Re: NIST NTP servers

>Personally, my network gets NTP from 14 stratum 1 sources right now.
>You, and the hacker, do not know which ones.  You have to guess at least
>8 to get me to move to your "hacked" time.  Good luck.

>Redundancy is the solution, not a new single point of failure.  GPS can be part of the redundancy, not a sole solution.

This seems like the most reasonable advise.  If this truly becomes a concern, I would think IPS vendors could implement signatures to look for bad time.  Lots of ways to do this 
- look for a difference between the IPS realtime and NTP status versus the incoming packets.
- look for duplicate NTP responses, or responses that weren't requested 
- duplicate responses, but with differing TTLs, which might hint at one being spoofed.

Chuck



More information about the NANOG mailing list