Or one can select NTS-capable NTP servers, like those 5: a.st1.ntp.br b.st1.ntp.br c.st1.ntp.br d.st1.ntp.br gps.ntp.br
Or any other NTP server that has NTS deployed. Game-over for NTP impersonation. Rubens On Sun, Aug 6, 2023 at 4:41 PM Mel Beckman <m...@beckman.org> wrote: > > In a nutshell, no. Refer to my prior cites for detailed explanations. For a > list of real-world attack incidents, see > > https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse# > > > -mel > > On Aug 6, 2023, at 12:03 PM, Royce Williams <ro...@techsolvency.com> wrote: > > > Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering a > reasonable mitigation for this, as designed? > > Royce > > On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman <m...@beckman.org> wrote: >> >> William, >> >> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These >> flaws make it trivial to spoof NTP packets, and many firewalls have no >> specific protection against this. in one attack the malefactor simply fires >> a continuous stream of NTP packets with invalid time at your firewall. When >> your NTP client queries the spoofed server, the malicious packet is the one >> you likely receive. >> >> That’s just one attack vector. There are several others, and all have >> complex remediation. Why should people bother being exposed to the risk at >> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve >> already described. Having suffered through such attacks more than once, I >> can say from personal experience that you don’t want to risk it. >>
