[189215] in North American Network Operators' Group
RE: NIST NTP servers
daemon@ATHENA.MIT.EDU (Chuck Church)
Wed May 11 11:18:35 2016
X-Original-To: nanog@nanog.org
From: "Chuck Church" <chuckchurch@gmail.com>
To: "'Leo Bicknell'" <bicknell@ufp.org>,
<nanog@nanog.org>
In-Reply-To: <20160511133127.GA75456@ussenterprise.ufp.org>
Date: Wed, 11 May 2016 11:18:29 -0400
Errors-To: nanog-bounces@nanog.org
-----Original Message-----
>From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Leo Bicknell
>Sent: Wednesday, May 11, 2016 9:31 AM
>To: nanog@nanog.org
>Subject: Re: NIST NTP servers
>Personally, my network gets NTP from 14 stratum 1 sources right now.
>You, and the hacker, do not know which ones. You have to guess at =
least
>8 to get me to move to your "hacked" time. Good luck.
>Redundancy is the solution, not a new single point of failure. GPS can =
be part of the redundancy, not a sole solution.
This seems like the most reasonable advise. If this truly becomes a =
concern, I would think IPS vendors could implement signatures to look =
for bad time. Lots of ways to do this=20
- look for a difference between the IPS realtime and NTP status versus =
the incoming packets.
- look for duplicate NTP responses, or responses that weren't requested=20
- duplicate responses, but with differing TTLs, which might hint at one =
being spoofed.
Chuck
