
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body dir="auto">


Bill,


<div><br>


</div>


<div>That still leaves you open to NTP attacks. The USNO accuracy and monitoring is worthless if you suffer, for example, an NTP DDoS attack.</div>


<div><br>


</div>


<div>


<div style="display: block;" class="">


<div style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;" class="apple-rich-link" draggable="true" role="link" data-url="https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/">


<a style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;" class="lp-rich-link" rel="nofollow" href="https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/" dir="ltr" role="button" draggable="false" width="300">


<table style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#E9E9EB;font-family:-apple-system, Helvetica, Arial, sans-serif;" class="lp-rich-link-emailBaseTable" cellpadding="0" cellspacing="0" border="0" width="300">


<tbody>


<tr>


<td vertical-align="center" align="center"><img style="width:300px;filter:brightness(0.97);height:157px;" width="300" height="157" draggable="false" class="lp-rich-link-mediaImage" alt="ddos-lc.png" src="cid:E4775B32-002E-4C8C-8D6A-82361815AAE5"></td>


</tr>


<tr>


<td vertical-align="center">


<table bgcolor="#E9E9EB" cellpadding="0" cellspacing="0" width="300" style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(233, 233, 235, 1);" class="lp-rich-link-captionBar">


<tbody>


<tr>


<td style="padding:8px 0px 8px 0px;" class="lp-rich-link-captionBar-textStackItem">


<div style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;" class="lp-rich-link-captionBar-textStack">


<div style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-topCaption-leading">


<a rel="nofollow" href="https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/" style="text-decoration: none" draggable="false"><font color="#000000" style="color: rgba(0, 0, 0, 1);">NTP amplification DDoS attack</font></a></div>


<div style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-bottomCaption-leading">


<a rel="nofollow" href="https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/" style="text-decoration: none" draggable="false"><font color="#A2A2A9" style="color: rgba(60, 60, 67, 0.6);">cloudflare.com</font></a></div>


</div>


</td>


</tr>


</tbody>


</table>


</td>


</tr>


</tbody>


</table>


</a></div>


<br>


</div>


<div style="display: block;" class=""><br>


</div>


<div style="display: block;" class="">There  are also replay and Man in the middle attacks (MITM) which can corrupt local NTP servers’ time basis. Worse, security flaws in NTP make others security protocols, such as SSL, vulnerable.</div>


<div style="display: block;" class=""><br>


</div>


<div style="display: block;" class="">


<div style="display: block;" class="">https://www.sidn.nl/en/news-and-blogs/security-flaws-in-network-time-protocol-make-other-security-protocols-vulnerable</div>


</div>


<div><br>


</div>


if you can eliminate such security problems for $400, I say it’s cheap at twice the price.</div>


<div><br>


<div dir="ltr"> -mel</div>


<div dir="ltr"><br>


<blockquote type="cite">On Aug 5, 2023, at 6:18 PM, William Herrin <bill@herrin.us> wrote:<br>


<br>


</blockquote>


</div>


<blockquote type="cite">


<div dir="ltr"><span>On Sat, Aug 5, 2023 at 12:26 PM Mel Beckman <mel@beckman.org> wrote:</span><br>


<blockquote type="cite"><span>You might consider setting up your own GPS-based NTP network.</span><br>


</blockquote>


<span></span><br>


<span>GPS time is monitored (and when necessary, adjusted) from the U.S.</span><br>


<span>Naval Observatory Master Clock, which is -the- authoritative time</span><br>


<span>source for the United States. The USNO also provides an NTP time</span><br>


<span>source from the same master clock:</span><br>


<span></span><br>


<span>https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/</span><br>


<span></span><br>


<span>You -should not- just point your servers there, but it's useful to</span><br>


<span>point a few servers each at one of them in order to serve as your</span><br>


<span>network stratum 2 sources that keep the rest of your machines in sync</span><br>


<span>with each other.</span><br>


<span></span><br>


<span>That last point is key. You don't want your servers in sync with</span><br>


<span>random Internet time sources. You want them in sync with each other.</span><br>


<span></span><br>


<span>Regards,</span><br>


<span>Bill Herrin</span><br>


<span></span><br>


<span></span><br>


<span></span><br>


<span>-- </span><br>


<span>William Herrin</span><br>


<span>bill@herrin.us</span><br>


<span>https://bill.herrin.us/</span><br>


</div>


</blockquote>


</div>


</body>


</html>