A carefully selected set of stratum 0 sources for a set of stratum 1 servers is the heart of good NTP source design. With at least four “local” stratum 1 servers, Dr. Mills algorithm is excellent at distinguishing truechimers from falsetickers and providing a reliable source of monotonic time. DOS is a separate problem.
My NTP network deployment experience for a major auto manufacturer, among others, is in agreement with William Herin. A GPS NTP source is a valid Stratum 0 source, but relying on a single instance for local time is not exceedingly better than querying time.apple.com <http://time.apple.com/> or a similar source. - James R. Cutler > > William, > > Due to flaws in the NTP protocol, a simple UDP filter is not enough. These > flaws make it trivial to spoof NTP packets, and many firewalls have no > specific protection against this. in one attack the malefactor simply fires a > continuous stream of NTP packets with invalid time at your firewall. When > your NTP client queries the spoofed server, the malicious packet is the one > you likely receive. > > That’s just one attack vector. There are several others, and all have complex > remediation. Why should people bother being exposed to the risk at all? > Simply avoid Internet-routed NTP. there are many solutions, as I’ve already > described. Having suffered through such attacks more than once, I can say > from personal experience that you don’t want to risk it. > > -mel > >> On Aug 6, 2023, at 10:53 AM, William Herrin <b...@herrin.us> wrote: >> >> On Sat, Aug 5, 2023 at 7:24 PM Mel Beckman <m...@beckman.org> wrote: >>> That still leaves you open to NTP attacks. The USNO accuracy and monitoring >>> is worthless if you suffer, for example, an NTP DDoS attack. >> >> Hi Mel, >> >> From what I can tell, a fairly simple firewall policy of allow UDP 123 >> from known NTP clients and established connections (I sent them a UDP >> packet recently) stops every one of those attacks (that's actually an >> NTP attack and not something else like a DNS attack) except for >> upstream address hijack that happens to coincide with your system >> boot. And it still depends on the attacker executing an additional >> sophisticated attack to do more than cause you a denial of service. >> >> The links you sent are very interesting, at least in an academic >> sense, but they don't cause me to be unduly concerned about employing >> NTP. >> >> >>> if you can eliminate such security problems for $400, I say it’s cheap at >>> twice the price. >> >> Except you can't. Redundancy is required for any critical service. At >> the $400 price point, your approach has multiple >> single-points-of-failure. The device itself of course. Your ability to >> receive continuous non-jammed GPS signals at the location where you're >> able to place an antenna. And in your plan you'll need one of these in >> every discontiguous network where you have equipment since you're not >> doing NTP over the Internet. >> >> Not to mention the operations cost. Keeping track of a six inch brick >> with a wall wart and an antenna installed at a remote site is... not >> entirely abnormal but it's a one-off that consumes manpower. >> >> And then you're only vulnerable to the litany of Internet attacks >> which don't involve NTP. Yay! >> >> Don't get me wrong: the Time Machines TM1000A you recommended looks >> like a cool little device well worth checking into. As a supplement to >> Internet NTP, not a replacement. >> >> Regards, >> Bill Herrin >> >> >> -- >> William Herrin >> b...@herrin.us >> https://bill.herrin.us/