True, but I did mention verifying packet sources. That needs to happen everywhere, and it's not hard to do. Just getting everyone to do it is tough.
Chuck -----Original Message----- From: Allan Liska [mailto:al...@allan.org] Sent: Tuesday, May 10, 2016 10:40 AM To: Chuck Church <chuckchu...@gmail.com>; 'Majdi S. Abbas' <m...@latt.net>; nanog@nanog.org Subject: RE: NIST NTP servers On 5/10/2016 at 10:30 AM, "Chuck Church" <chuckchu...@gmail.com> wrote: > >It doesn't really. Granted there are a lot of CVEs coming out for NTP >the last year or so. But I just don't think there are that many >attacks on it. >It's just not worth the effort. Changing time on devices is more an >annoyance than anything, and doesn't necessarily get you into a device. >Sure you can hide your tracks a little by altering time in logs and >altering it back, but that's more of an in-depth nation-state kind of >attack, not going to be a script kiddie kind of thing. Just follow the >best practices for verifying packet sources and NTP security itself, >and you should be ok. > >Chuck I would argue that the fact the NTP can, and has been, be used in DDoS amplification attacks is a serious concern for using protocol going forward. allan