nanog mailing list archives
RE: NIST NTP servers
From: "Chuck Church" <chuckchurch () gmail com>
Date: Tue, 10 May 2016 16:18:41 -0400
-----Original Message----- From: Gary E. Miller [mailto:gem () rellim com] Sent: Tuesday, May 10, 2016 3:58 PM To: Chuck Church <chuckchurch () gmail com> Cc: 'Majdi S. Abbas' <msa () latt net>; nanog () nanog org Subject: Re: NIST NTP servers Yo Chuck! On Tue, 10 May 2016 10:29:35 -0400 "Chuck Church" <chuckchurch () gmail com> wrote:
Changing time on devices is more an annoyance than anything, and doesn't necessarily get you into a device.
So, you are not worried about getting DoS'ed? How about you set the time on your server ahead by 5 years. Got any idea what would happen? Most of your passwords would expire. All your SSL certs would expire. All your TOTPs, like Google Authenticator would fail. All your IPSEC tunnels would drop, and refuse to restart. Many of your cron jobs would got nuts, possibly deleting all your logs. Much of your DNSSEC would expire. Many of your backups would be deleted since they 'expired'. Until recently, setting your iPhone to 1 Jan 1970 would brick it. I'm sure there are many more examples, but likely you can no longer log in, via SSH or HTTPS, and your iPhone is dead. I think any of those would qualify as more than an annoyance. RGDS GARY ---------------------------------------------------------------------------- ---------------------------------------------------------------- Ok, annoyance might have been a little light on the severity wording. Still, modifying all your incoming NTP packets from all your sources to actually get your NTP servers to agree on a bad time is tricky. That is assuming you've got multiple links, multiple sources from multiple organizations (more than 4), they're all authenticated, etc. Even if a criminal was to do all that damage you listed, it still probably doesn't result in obtaining sensitive data or money that would be the main motivators for such extreme hacking. If I had an iPhone, perhaps I'd worry about that as well. But fortunately, not an issue ;) Chuck
Current thread:
- Re: NIST NTP servers, (continued)
- Re: NIST NTP servers Stephane Bortzmeyer (May 10)
- Re: NIST NTP servers Josh Reynolds (May 10)
- Message not available
- Re: NIST NTP servers Valdis . Kletnieks (May 10)
- Re: NIST NTP servers Eygene Ryabinkin (May 11)
- Re: NIST NTP servers Jean-Francois Mezei (May 12)
- Re: NIST NTP servers Tony Finch (May 13)
- Re: NIST NTP servers Ryan Harden (May 11)
- RE: NIST NTP servers Chuck Church (May 10)
- Re: NIST NTP servers Gary E. Miller (May 10)
- Re: NIST NTP servers Jared Mauch (May 10)
- RE: NIST NTP servers Chuck Church (May 10)
- Re: NIST NTP servers Gary E. Miller (May 10)
- Re: NIST NTP servers Mel Beckman (May 10)
- Re: NIST NTP servers Leo Bicknell (May 11)
- Re: NIST NTP servers Josh Reynolds (May 11)
- Re: NIST NTP servers Mel Beckman (May 11)
- Re: NIST NTP servers Jay R. Ashworth (May 11)
- Re: NIST NTP servers Valdis . Kletnieks (May 11)
- Re: NIST NTP servers Mel Beckman (May 11)
- Re: NIST NTP servers Eric Kuhnke (May 11)
- Re: NIST NTP servers Jean-Francois Mezei (May 12)