On 2014-12-20, Peter Hessler <[email protected]> wrote: >:And it is probably vulnerable to this: >:https://github.com/PentesterES/Delorean >:(tl;dr Man-in-the-Middle) > > OpenNTPd embeds random cookies into several fields of the ntp packet, > the server is required to copy them back into the reply, and the client > checks them upon receiving it. > > Not as vulnerable as you think.
Perfectly vulnerable to MitM. It just protects against random hosts spraying you with bogus packets. If you need authenticated NTP, use IPsec. While there, you'll want to authenticate nameserver replies, too. -- Christian "naddy" Weisgerber [email protected]
