Home page logo

nanog logo nanog mailing list archives

Re: pool.ntp.org NTP servers
From: Sean Donelan <sean () donelan com>
Date: Sun, 8 Jun 2003 00:15:19 -0400 (EDT)

On Sat, 7 Jun 2003, Robert Boyle wrote:
We run NTP client and server on all of our customer touching and core
routers and we just tell them to make their WAN gateway their NTP server.
This works well for us and we need to have correct and synchronized time on
all of our routers for logging and debugging purposes anyway. The processor
penalty seems to be very minimal (if anything) to respond to NTP requests
and seems to make sense to further the load distribution as much as
possible. Do others do this? does anyone see a reason it shouldn't be done
this way? It just seemed to make sense to me.

Already published in other forums.

As a general principle, having an open UDP port exposes your network
infrastructure to either something like a NTP worm (if one was written)
or a great attack amplifier by spoofing NTP queries from a victim's IP
address.  You can search Google for other NTP specific security issues.

Unfortunately, ISPs need to supply services to customers and every
service is potentially vulnerable to some type of attack.  Even an
isolated network such as the proposed GOVNET is vulnerable to certain
types of attacks.

ISPs provide time services in a few common ways
    1. They don't provide time service, use a "public" time server
    2. They provide time service from/to only selected NTP servers
    3. They provide time service from router interface to only the direct
        customer network
    4. They provide time service to anyone

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]