Re: NTP Sync Issue Across Tata (Europe)

[James R Cutler <james.cutler () consultant com>]

A carefully selected set of stratum 0 sources for a set of stratum 1 servers is the heart of good NTP source design. 
With at least four “local” stratum 1 servers, Dr. Mills algorithm is excellent at distinguishing truechimers from 
falsetickers and providing a reliable source of monotonic time. DOS is a separate problem.

My NTP network deployment experience for a major auto manufacturer, among others, is in agreement with William Herin. A 
GPS NTP source is a valid Stratum 0 source, but relying on a single instance for local time is not exceedingly better 
than querying time.apple.com <http://time.apple.com/> or a similar source.
-
James R. Cutler 
> William,
>
> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These flaws make it trivial to spoof NTP 
> packets, and many firewalls have no specific protection against this. in one attack the malefactor simply fires a 
> continuous stream of NTP packets with invalid time at your firewall. When your NTP client queries the spoofed server, 
> the malicious packet is the one you likely receive.
>
> That’s just one attack vector. There are several others, and all have complex remediation. Why should people bother 
> being exposed to the risk at all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve already 
> described. Having suffered through such attacks more than once, I can say from personal experience that you don’t 
> want to risk it.
>
> -mel 
>
> > On Aug 6, 2023, at 10:53 AM, William Herrin <bill () herrin us> wrote:
> >
> > On Sat, Aug 5, 2023 at 7:24 PM Mel Beckman <mel () beckman org> wrote:
> > > That still leaves you open to NTP attacks. The USNO accuracy and monitoring is worthless if you suffer, for 
> > > example, an NTP DDoS attack.
> >
> > Hi Mel,
> >
> > From what I can tell, a fairly simple firewall policy of allow UDP 123
> > from known NTP clients and established connections (I sent them a UDP
> > packet recently) stops every one of those attacks (that's actually an
> > NTP attack and not something else like a DNS attack) except for
> > upstream address hijack that happens to coincide with your system
> > boot. And it still depends on the attacker executing an additional
> > sophisticated attack to do more than cause you a denial of service.
> >
> > The links you sent are very interesting, at least in an academic
> > sense, but they don't cause me to be unduly concerned about employing
> > NTP.
> >
> >
> > > if you can eliminate such security problems for $400, I say it’s cheap at twice the price.
> >
> > Except you can't. Redundancy is required for any critical service. At
> > the $400 price point, your approach has multiple
> > single-points-of-failure. The device itself of course. Your ability to
> > receive continuous non-jammed GPS signals at the location where you're
> > able to place an antenna. And in your plan you'll need one of these in
> > every discontiguous network where you have equipment since you're not
> > doing NTP over the Internet.
> >
> > Not to mention the operations cost. Keeping track of a six inch brick
> > with a wall wart and an antenna installed at a remote site is... not
> > entirely abnormal but it's a one-off that consumes manpower.
> >
> > And then you're only vulnerable to the litany of Internet attacks
> > which don't involve NTP. Yay!
> >
> > Don't get me wrong: the Time Machines TM1000A you recommended looks
> > like a cool little device well worth checking into. As a supplement to
> > Internet NTP, not a replacement.
> >
> > Regards,
> > Bill Herrin
> >
> >
> > --
> > William Herrin
> > bill () herrin us
> > https://bill.herrin.us/