I'm sure your right - so we have all our stratum 3's peered to each other
and to one stratum 2 - unless your spoofed source is stable and represents
a gentle shift from the real ref then I think it will still ignore it - of
course if you use a stable spoofed source it will most certainly work.
But if the asset is worth enough to go to this effort the site really
should have its own clock.
>I'm sorry, but you're wrong.
>You are left with only *one* stratum-2 system; the others will drop to
>stratum-3 or lower by lack of a stratum-1 reference. These stratum-3
>systems peer to each other and use your only stratum-2 left as there
>single point of reference.
>
>Try it. Block all incoming ntp-traffic except the traffic from one of the
>external servers. You might be surprised as to how quickly ntp adapts.
Cheers,
bret
Technical Incursion Countermeasures
consulting@bwa.net http://www.ticm.com/
ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042
The Insider - a e'zine on Computer security
http://www.ticm.com/about/insider.html
Received on Mar 13 1998
Intro
