Re: NIST NTP servers

[Mel Beckman <mel () beckman org>]

I don't pretend to know all the ways a hacker can find out what nap servers a company uses, but I can envision a virus 
that could do that once behind a firewall. Every ntp response lists the current reference ntp server in the next higher 
stratum. There are many ways that process could harvest all ntp servers over time, and then pass the public IP back to 
a mother ship controller. It could be going on right now.

My point is, when the fix is so cheap, why put up with this risk at all? 

 -mel beckman

> On May 10, 2016, at 5:18 PM, Chris Adams <cma () cmadams net> wrote:
>
> Once upon a time, Mel Beckman <mel () beckman org> said:
> > Boss: So how did a hacker get in and crash our accounting server, break our VPNs, and kill our network performance?
> >
> > IT guy: He changed our clocks.
>
> So, this has been repeated several times (with how bad things will go if
> your clocks get changed by years).  It isn't that easy.
>
> First, out of the box, if you use the public pool servers (default
> config), you'll typically get 4 random (more or less) servers from the
> pool.  There are a bunch, so Joe Random Hacker isn't going to have a
> high chance of guessing the servers your system is using.
>
> Second, he'd have to guess at least three to "win".
>
> Third, at best, he'd only be able to change your clocks a little; the
> common software won't step the clock more than IIRC 15 minutes.  Yes,
> that can cause problems, but not the catastrophes of years in the future
> or Jan 1, 1970 mentioned in this thread.
>
> Is it possible to cause problems?  Yes.  Is it a practical attack?  I'm
> not so sure, and I haven't seen proof to the contrary.
> -- 
> Chris Adams <cma () cmadams net>