Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering a reasonable mitigation for this, as designed?
Royce On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman <m...@beckman.org> wrote: > William, > > Due to flaws in the NTP protocol, a simple UDP filter is not enough. These > flaws make it trivial to spoof NTP packets, and many firewalls have no > specific protection against this. in one attack the malefactor simply fires > a continuous stream of NTP packets with invalid time at your firewall. When > your NTP client queries the spoofed server, the malicious packet is the one > you likely receive. > > That’s just one attack vector. There are several others, and all have > complex remediation. Why should people bother being exposed to the risk at > all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve > already described. Having suffered through such attacks more than once, I > can say from personal experience that you don’t want to risk it. > >
