[189242] in North American Network Operators' Group
Re: NIST NTP servers
daemon@ATHENA.MIT.EDU (Harlan Stenn)
Wed May 11 23:15:07 2016
X-Original-To: nanog@nanog.org
From: Harlan Stenn <stenn@ntp.org>
To: Harlan Stenn <stenn@ntp.org>
In-reply-to: <E1b0gv2-0008zk-5U@stenn.ntp.org>
Date: Thu, 12 May 2016 03:13:46 +0000
Cc: Florian Weimer <fw@deneb.enyo.de>,
North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Harlan Stenn writes:
> Sharon Goldberg writes:
> > Well, if you really want to learn about the NTP servers a target is using
> > you can always just sent them a regular NTP timing query (mode 3) and just
> > read off the IP address in the reference ID field of the response (mode 4).
>
> Unless the server is an IPv6 server. This trick only works for IPv4.
>
> And we have a fix for all of this that will be out soon.
Also, the attacker will need to know the correct origin timestamp for
the brief window where that attack will work, and even if this happens
either the client or the server will see syslog entries alerting to the
abuse (if folks are running new enough versions of ntpd).
H
