[189235] in North American Network Operators' Group
Re: NIST NTP servers
daemon@ATHENA.MIT.EDU (Sharon Goldberg)
Wed May 11 21:37:08 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <87eg989zx2.fsf@mid.deneb.enyo.de>
From: Sharon Goldberg <goldbe@cs.bu.edu>
Date: Wed, 11 May 2016 15:15:37 -0400
To: Florian Weimer <fw@deneb.enyo.de>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Well, if you really want to learn about the NTP servers a target is using
you can always just sent them a regular NTP timing query (mode 3) and just
read off the IP address in the reference ID field of the response (mode 4).
Reference ID reveals the target that the client is sync'd to.
If you do this over and over as the client changes the servers it sync's
to, you learn all the servers.
Or if you are really keen you can use our "kiss-of-death" attack to learn
all the servers a client is willing to take time from. See sections V.B-V.C
of our paper.
https://eprint.iacr.org/2015/1020.pdf
Sharon
On Wed, May 11, 2016 at 3:07 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Chris Adams:
>
> > First, out of the box, if you use the public pool servers (default
> > config), you'll typically get 4 random (more or less) servers from the
> > pool. There are a bunch, so Joe Random Hacker isn't going to have a
> > high chance of guessing the servers your system is using.
>
> A determined attacker will just run servers in the official pool.
>
>
--
Sharon Goldberg
Computer Science, Boston University
http://www.cs.bu.edu/~goldbe
