nanog mailing list archives

RE: NIST NTP servers

From: "Chuck Church" <chuckchurch () gmail com>
Date: Tue, 10 May 2016 16:18:41 -0400

-----Original Message-----
From: Gary E. Miller [mailto:gem () rellim com] 
Sent: Tuesday, May 10, 2016 3:58 PM
To: Chuck Church <chuckchurch () gmail com>
Cc: 'Majdi S. Abbas' <msa () latt net>; nanog () nanog org
Subject: Re: NIST NTP servers

Yo Chuck!

On Tue, 10 May 2016 10:29:35 -0400
"Chuck Church" <chuckchurch () gmail com> wrote:

Changing time on
devices is more an annoyance than anything, and doesn't necessarily 
get you into a device.


So, you are not worried about getting DoS'ed?

How about you set the time on your server ahead by 5 years.  Got any idea
what would happen?

Most of your passwords would expire.

All your SSL certs would expire.

All your TOTPs, like Google Authenticator would fail.

All your IPSEC tunnels would drop, and refuse to restart.

Many of your cron jobs would got nuts, possibly deleting all your logs.

Much of your DNSSEC would expire.

Many of your backups would be deleted since they 'expired'.

Until recently, setting your iPhone to 1 Jan 1970 would brick it.

I'm sure there are many more examples, but likely you can no longer log in,
via SSH or HTTPS, and your iPhone is dead.  I think any of those would
qualify as more than an annoyance.

RGDS
GARY
----------------------------------------------------------------------------
----------------------------------------------------------------

Ok, annoyance might have been a little light on the severity wording.
Still, modifying all your incoming NTP packets from all your sources to
actually get your NTP servers to agree on a bad time is tricky.  That is
assuming you've got multiple links, multiple sources from multiple
organizations (more than 4), they're all authenticated, etc.  Even if a
criminal was to do all that damage you listed, it still probably doesn't
result in obtaining sensitive data or money that would be the main
motivators for such extreme hacking.   If I had an iPhone, perhaps I'd worry
about that as well.  But fortunately, not an issue ;)

Chuck

Current thread:

Re: NIST NTP servers, (continued)
- - - Re: NIST NTP servers Stephane Bortzmeyer (May 10)
    - Re: NIST NTP servers Josh Reynolds (May 10)
    - Message not available
    - Re: NIST NTP servers Valdis . Kletnieks (May 10)
    - Re: NIST NTP servers Eygene Ryabinkin (May 11)
    - Re: NIST NTP servers Jean-Francois Mezei (May 12)
    - Re: NIST NTP servers Tony Finch (May 13)
    - Re: NIST NTP servers Ryan Harden (May 11)
    - RE: NIST NTP servers Chuck Church (May 10)
    - Re: NIST NTP servers Gary E. Miller (May 10)
    - Re: NIST NTP servers Jared Mauch (May 10)
    - RE: NIST NTP servers Chuck Church (May 10)
    - Re: NIST NTP servers Gary E. Miller (May 10)
    - Re: NIST NTP servers Mel Beckman (May 10)
    - Re: NIST NTP servers Leo Bicknell (May 11)
    - Re: NIST NTP servers Josh Reynolds (May 11)
    - Re: NIST NTP servers Mel Beckman (May 11)
    - Re: NIST NTP servers Jay R. Ashworth (May 11)
    - Re: NIST NTP servers Valdis . Kletnieks (May 11)
    - Re: NIST NTP servers Mel Beckman (May 11)
    - Re: NIST NTP servers Eric Kuhnke (May 11)
    - Re: NIST NTP servers Jean-Francois Mezei (May 12)

(Thread continues...)