NIST NTP servers

Sharon Goldberg goldbe at cs.bu.edu
Wed May 11 19:17:51 UTC 2016


With the caveat that if some of the servers are inside your own private
network then learning who the servers are might be less useful.

But this could be an issue for targets who use servers that are exclusively
on the public internet.

On Wed, May 11, 2016 at 3:15 PM, Sharon Goldberg <goldbe at cs.bu.edu> wrote:

> Well, if you really want to learn about the NTP servers a target is using
> you can always just sent them a regular NTP timing query (mode 3) and just
> read off the IP address in the reference ID field of the response (mode 4).
>
>
> Reference ID reveals the target that the client is sync'd to.
>
> If you do this over and over as the client changes the servers it sync's
> to, you learn all the servers.
>
> Or if you are really keen you can use our "kiss-of-death" attack to learn
> all the servers a client is willing to take time from. See sections V.B-V.C
> of our paper.
>
> https://eprint.iacr.org/2015/1020.pdf
>
> Sharon
>
>
>
> On Wed, May 11, 2016 at 3:07 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
>
>> * Chris Adams:
>>
>> > First, out of the box, if you use the public pool servers (default
>> > config), you'll typically get 4 random (more or less) servers from the
>> > pool.  There are a bunch, so Joe Random Hacker isn't going to have a
>> > high chance of guessing the servers your system is using.
>>
>> A determined attacker will just run servers in the official pool.
>>
>>
>
>
> --
> Sharon Goldberg
> Computer Science, Boston University
> http://www.cs.bu.edu/~goldbe
>



-- 
Sharon Goldberg
Computer Science, Boston University
http://www.cs.bu.edu/~goldbe


More information about the NANOG mailing list