Re: NIST NTP servers

[Sharon Goldberg <goldbe () cs bu edu>]

Well, if you really want to learn about the NTP servers a target is using
you can always just sent them a regular NTP timing query (mode 3) and just
read off the IP address in the reference ID field of the response (mode 4).


Reference ID reveals the target that the client is sync'd to.

If you do this over and over as the client changes the servers it sync's
to, you learn all the servers.

Or if you are really keen you can use our "kiss-of-death" attack to learn
all the servers a client is willing to take time from. See sections V.B-V.C
of our paper.

https://eprint.iacr.org/2015/1020.pdf

Sharon



On Wed, May 11, 2016 at 3:07 PM, Florian Weimer <fw () deneb enyo de> wrote:

> * Chris Adams:
>
> > First, out of the box, if you use the public pool servers (default
> > config), you'll typically get 4 random (more or less) servers from the
> > pool.  There are a bunch, so Joe Random Hacker isn't going to have a
> > high chance of guessing the servers your system is using.
>
> A determined attacker will just run servers in the official pool.


-- 
Sharon Goldberg
Computer Science, Boston University
http://www.cs.bu.edu/~goldbe