-----Original Message----- >From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Leo Bicknell >Sent: Wednesday, May 11, 2016 9:31 AM >To: nanog@nanog.org >Subject: Re: NIST NTP servers
>Personally, my network gets NTP from 14 stratum 1 sources right now. >You, and the hacker, do not know which ones. You have to guess at least >8 to get me to move to your "hacked" time. Good luck. >Redundancy is the solution, not a new single point of failure. GPS can be >part of the redundancy, not a sole solution. This seems like the most reasonable advise. If this truly becomes a concern, I would think IPS vendors could implement signatures to look for bad time. Lots of ways to do this - look for a difference between the IPS realtime and NTP status versus the incoming packets. - look for duplicate NTP responses, or responses that weren't requested - duplicate responses, but with differing TTLs, which might hint at one being spoofed. Chuck
