Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman <mel () beckman org>]

Bill,

That still leaves you open to NTP attacks. The USNO accuracy and monitoring is worthless if you suffer, for example, an 
NTP DDoS attack.

<https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/>
[ddos-lc.png]
NTP amplification DDoS attack<https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/>
cloudflare.com<https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/>


There  are also replay and Man in the middle attacks (MITM) which can corrupt local NTP servers’ time basis. Worse, 
security flaws in NTP make others security protocols, such as SSL, vulnerable.

https://www.sidn.nl/en/news-and-blogs/security-flaws-in-network-time-protocol-make-other-security-protocols-vulnerable

if you can eliminate such security problems for $400, I say it’s cheap at twice the price.

 -mel

On Aug 5, 2023, at 6:18 PM, William Herrin <bill () herrin us> wrote:

On Sat, Aug 5, 2023 at 12:26 PM Mel Beckman <mel () beckman org> wrote:
You might consider setting up your own GPS-based NTP network.

GPS time is monitored (and when necessary, adjusted) from the U.S.
Naval Observatory Master Clock, which is -the- authoritative time
source for the United States. The USNO also provides an NTP time
source from the same master clock:

https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/

You -should not- just point your servers there, but it's useful to
point a few servers each at one of them in order to serve as your
network stratum 2 sources that keep the rest of your machines in sync
with each other.

That last point is key. You don't want your servers in sync with
random Internet time sources. You want them in sync with each other.

Regards,
Bill Herrin



--
William Herrin
bill () herrin us
https://bill.herrin.us/