Re: NTP Sync Issue Across Tata (Europe)

[Royce Williams <royce () techsolvency com>]

Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering
a reasonable mitigation for this, as designed?

Royce

On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman <mel () beckman org> wrote:

> William,
>
> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These
> flaws make it trivial to spoof NTP packets, and many firewalls have no
> specific protection against this. in one attack the malefactor simply fires
> a continuous stream of NTP packets with invalid time at your firewall. When
> your NTP client queries the spoofed server, the malicious packet is the one
> you likely receive.
>
> That’s just one attack vector. There are several others, and all have
> complex remediation. Why should people bother being exposed to the risk at
> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve
> already described. Having suffered through such attacks more than once, I
> can say from personal experience that you don’t want to risk it.