This entirely discounts the fact that bcp-38 and bcp-84 which, more or
less, eliminate this "problem space" entirely.

I find it hard to believe ntp reflection is actually a problem in the year
2023, assuming you're not running a ridiculously old ntp client and have
taken really simple steps to protect your network.

On Sun, Aug 6, 2023, 15:42 Mel Beckman <m...@beckman.org> wrote:

> In a nutshell, no. Refer to my prior cites for detailed explanations. For
> a list of real-world attack incidents, see
>
> https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#
> <https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#:~:text=NTP%20server%20misuse%20and%20abuse%20covers%20a%20number%20of%20practices,the%20NTP%20rules%20of%20engagement.>
>
>
>  -mel
>
> On Aug 6, 2023, at 12:03 PM, Royce Williams <ro...@techsolvency.com>
> wrote:
>
> 
> Naively, instead of abstaining ;) ... isn't robust diversity of NTP
> peering a reasonable mitigation for this, as designed?
>
> Royce
>
> On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman <m...@beckman.org> wrote:
>
>> William,
>>
>> Due to flaws in the NTP protocol, a simple UDP filter is not enough.
>> These flaws make it trivial to spoof NTP packets, and many firewalls have
>> no specific protection against this. in one attack the malefactor simply
>> fires a continuous stream of NTP packets with invalid time at your
>> firewall. When your NTP client queries the spoofed server, the malicious
>> packet is the one you likely receive.
>>
>> That’s just one attack vector. There are several others, and all have
>> complex remediation. Why should people bother being exposed to the risk at
>> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve
>> already described. Having suffered through such attacks more than once, I
>> can say from personal experience that you don’t want to risk it.
>>
>>

Reply via email to