On Tue, 04 Nov 2008 01:52:05 -0500 [EMAIL PROTECTED] wrote: > On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said: > > > I'm just wondering -- in globak scheme of security issue, is NTP > > security a major issue? > > The biggest problem is that you pretty much have to spoof a server > that the client is already configured to be accepting NTP packets > from. And *then* you have to remember that your packets can only lie > about the time by a very small number of milliseconds or they get > tossed out by the NTP packet filter that measures the apparent > jitter. Remember, the *real* clock is also sending correct updates. > At *best*, you lie like hell, and get the clock thrown out as an > "insane" timesource. But at that point, a properly configured clock > will go on autopilot till a quorum of sane clocks reappears, so you > don't have much chance of wedging in a huge time slew (unless you > *really* hit the jackpot, and the client reboots and does an ntpdate > and you manage to cram in enough false packets to mis-set the clock > then). > > So in most cases, you can only push the clock around by milliseconds > - and that doesn't buy you very much room for a replay attack or > similar, because that's under the retransmit timeout for a lost > packet. It isn't like you can get away with replaying something from > 5 minutes ago. > > Now, if you wanted to be *dastardly*, you'd figure out where a site's > Stratum-1 server(s) have their GPS antennas, and you'd read the recent > research on spoofing GPS signals - at *that* point you'd have a good > chance of controlling the horizontal and vertical.... > http://nob.cs.ucdavis.edu/bishop/papers/1990-acsac/ is old but does have a good analysis of the problem.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
signature.asc
Description: PGP signature
