GPS Selective Availability did not disrupt the timing chain of GPS, only the
ephemeris (position information). But a government-disrupted timebase scenario
has never occurred, while hackers are a documented threat.
DNS has DNSSec, which while not deployed as broadly as we might like, at least
> On 7 Aug 2023, at 12:02, Rubens Kuhl wrote:
>
>
>
> On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman wrote:
> Or one can read recent research papers that thoroughly document the
> incredible fragility of the existing NTP hierarchy and soberly consider their
> recommendations for remediation:
On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman wrote:
> Or one can read recent research papers that thoroughly document the
> incredible fragility of the existing NTP hierarchy and soberly consider
> their recommendations for remediation:
>
The paper suggests the compromise of critical
Bill,
You’re mistaking targeted NTP attacks with global ones. Yes, to attack your
specific NTP client, the attacker has to know which NTP servers you’re using.
But to simply succeed at random attacks, the attacker need only spoof popular
servers. This is how time-shifting attacks work. Once an
Or one can read recent research papers that thoroughly document the incredible
fragility of the existing NTP hierarchy and soberly consider their
recommendations for remediation:
https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1A-2_24302_paper.pdf
Or simply use non-Internet NTP
On Sun, Aug 6, 2023 at 1:19 PM Royce Williams wrote:
> Wouldn't a robust implementation of peering - say, seven peers, with the NTP
> algorithm handily selecting a subset to peer with for each cycle - require an
> attacker to know and overwhelm not just one, but a majority of the peer IPs?
Hi
Or one can select NTS-capable NTP servers, like those 5:
a.st1.ntp.br
b.st1.ntp.br
c.st1.ntp.br
d.st1.ntp.br
gps.ntp.br
Or any other NTP server that has NTS deployed. Game-over for NTP impersonation.
Rubens
On Sun, Aug 6, 2023 at 4:41 PM Mel Beckman wrote:
>
> In a nutshell, no. Refer to my
Where I work, we got sick of random problems with public email sms
gateways, ( sometimes multi hour delays, or spontaneously issues not
relaying, on different carriers) we bought a hardware sms gateway from
Smseagle. Been using it for close to a year now, no issues.
We also looked at using sns
This entirely discounts the fact that bcp-38 and bcp-84 which, more or
less, eliminate this "problem space" entirely.
I find it hard to believe ntp reflection is actually a problem in the year
2023, assuming you're not running a ridiculously old ntp client and have
taken really simple steps to
Respectfully, that Wikipedia article (which is mostly about legit but
unauthorized clients overwhelming a given peer) and your cites don't seem
to cover what I was responding to - the "don't peer with public NTP because
someone can flood your firewall and spoof the responses" problem. I just
want
In a nutshell, no. Refer to my prior cites for detailed explanations. For a
list of real-world attack incidents, see
A carefully selected set of stratum 0 sources for a set of stratum 1 servers is
the heart of good NTP source design. With at least four “local” stratum 1
servers, Dr. Mills algorithm is excellent at distinguishing truechimers from
falsetickers and providing a reliable source of monotonic time.
Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering
a reasonable mitigation for this, as designed?
Royce
On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman wrote:
> William,
>
> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These
> flaws make it trivial
William,
Due to flaws in the NTP protocol, a simple UDP filter is not enough. These
flaws make it trivial to spoof NTP packets, and many firewalls have no specific
protection against this. in one attack the malefactor simply fires a continuous
stream of NTP packets with invalid time at your
On Sat, Aug 5, 2023 at 7:24 PM Mel Beckman wrote:
> That still leaves you open to NTP attacks. The USNO accuracy and monitoring
> is worthless if you suffer, for example, an NTP DDoS attack.
Hi Mel,
>From what I can tell, a fairly simple firewall policy of allow UDP 123
from known NTP clients
Niels,
You’re the first person to mention neutral collocation facilities as a
requirement. The OP only talked about servers generally. Obviously, building
your own GPS-based NTP network requires you have visibility to the sky.
However, that need not be rooftop access. We routinely locate GPS
Hello.
For the past few weeks I have been noticing that various emails were
bouncing when sending to sms.myboostmobile.com, which has been a
reliable SMS gateway for 10+ years. I contacted "Advanced Support" on
Saturday who said that Boost Mobile has discontinued their SMS Email
Gateway
* m...@beckman.org (Mel Beckman) [Sun 06 Aug 2023, 04:26 CEST]:
if you can eliminate such security problems for $400, I say it’s
cheap at twice the price.
You must be unfamiliar with the prices neutral colocation facilities
charge for roof access.
-- Niels.
18 matches
Mail list logo