nanog mailing list archives
Re: NIST NTP servers
From: Mel Beckman <mel () beckman org>
Date: Tue, 10 May 2016 20:23:04 +0000
Accurate time to the millisecond is pretty much essential for any network troubleshooting. Say you want to diagnose a SIP problem. You collect transaction logs from both phones, the VoIP gateway, and the PBX. Now you try to merge them to derive the sequence of events. You NEED millisecond accuracy. But more importantly, Gary is right about the risks. I’ve had several customers receive major NTP DoS attacks using forged source addresses. In today’s Internet, there is very little source address verification (despite several mechanisms being proposed). Everyone relies on the originating network preventing spoofing, but thousands of ISPs — particularly overseas — do not do spoof checks. And the issues of NTP pollution are even more dangerous. As Gary notes, changing dates is a risk. A big enough change (say 30 days) would be catastrophic to most accounting systems. A big leap — a year or more — could expire software license and disable all kinds of encryption. We haven’t even discussed multi-stage attacks, where NTP is used to disrupt systems at multiple points, and then the attacker storms in and takes over unnoticed during the confusion. All because of misplaced trust in a tiny UDP packet that can worm its way into your network from anywhere on the Internet. I say you’re crazy if you don’t run a GPS-based NTP server, especially given that they cost as little as $300 for very solid gear. Heck, get two or three! -mel
On May 10, 2016, at 12:58 PM, Gary E. Miller <gem () rellim com> wrote: Yo Chuck! On Tue, 10 May 2016 10:29:35 -0400 "Chuck Church" <chuckchurch () gmail com> wrote:Changing time on devices is more an annoyance than anything, and doesn't necessarily get you into a device.So, you are not worried about getting DoS'ed? How about you set the time on your server ahead by 5 years. Got any idea what would happen? Most of your passwords would expire. All your SSL certs would expire. All your TOTPs, like Google Authenticator would fail. All your IPSEC tunnels would drop, and refuse to restart. Many of your cron jobs would got nuts, possibly deleting all your logs. Much of your DNSSEC would expire. Many of your backups would be deleted since they 'expired'. Until recently, setting your iPhone to 1 Jan 1970 would brick it. I'm sure there are many more examples, but likely you can no longer log in, via SSH or HTTPS, and your iPhone is dead. I think any of those would qualify as more than an annoyance. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 gem () rellim com Tel:+1 541 382 8588
Current thread:
- Re: NIST NTP servers, (continued)
- Message not available
- Re: NIST NTP servers Valdis . Kletnieks (May 10)
- Re: NIST NTP servers Eygene Ryabinkin (May 11)
- Re: NIST NTP servers Jean-Francois Mezei (May 12)
- Re: NIST NTP servers Tony Finch (May 13)
- Re: NIST NTP servers Ryan Harden (May 11)
- RE: NIST NTP servers Chuck Church (May 10)
- Re: NIST NTP servers Gary E. Miller (May 10)
- Re: NIST NTP servers Jared Mauch (May 10)
- RE: NIST NTP servers Chuck Church (May 10)
- Re: NIST NTP servers Gary E. Miller (May 10)
- Re: NIST NTP servers Mel Beckman (May 10)
- Re: NIST NTP servers Leo Bicknell (May 11)
- Re: NIST NTP servers Josh Reynolds (May 11)
- Re: NIST NTP servers Mel Beckman (May 11)
- Re: NIST NTP servers Jay R. Ashworth (May 11)
- Re: NIST NTP servers Valdis . Kletnieks (May 11)
- Re: NIST NTP servers Mel Beckman (May 11)
- Re: NIST NTP servers Eric Kuhnke (May 11)
- Re: NIST NTP servers Jean-Francois Mezei (May 12)
- Re: NIST NTP servers Mel Beckman (May 12)
- Re: NIST NTP servers Leo Bicknell (May 11)