back to article Researchers tag new brace of bugs in NTP, but they're fixable

Back in January, Cisco dropped a bunch of NTP (network time protocol) patches; now, it's emerged that the research behind that round of fixes also turned up other bugs that haven't yet been fixed. This week, Ciscoans Matt Gundy and Jonathan Gardner teamed up with Boston University's Aanchal Malhotra, Mayank Varia, Haydn …

  1. tr1ck5t3r

    "Finally, we suggest the firewalls and ntpd clients block all incoming NTP control queries from unwanted IPs”"

    This problem has been around for a few years now even when sat behind firewalls when getting your NTP time server to synch with online NTP sources. Surprised its only just been aired but will they spot and fix all the bugs, only your server logs will tell.

  2. Anonymous Coward
    Anonymous Coward

    Why not filter by comparison?

    Normally you don't source network time from just one server, usually you set up at least 3 different ones and let the NTP daemon decide which one it likes best after a bit of settling in.

    If you source from a number of different confirmed locations, wouldn't it be an idea to draw from the non-preferred sources and see if that time is within some adjustable margin of the current system time as set by NTP? That way, when your preferred source starts to drift out of bounds you could flag it as a problem and reject that server. I assume this is best done after system clock drift has settled to something sensible.

    That is, of course, provided you can trust the server list - maybe I just moved the problem to DNS crypto with this :).


    1. Tom Chiverton 1

      Re: Why not filter by comparison?

      Linux's NTP already does that, no ?

    2. Arthur the cat Silver badge

      Re: Why not filter by comparison?

      That way, when your preferred source starts to drift out of bounds you could flag it as a problem and reject that server.

      That's what NTP daemons do, except they don't just flag and reject, they're constantly evaluating all time sources and switching between them as necessary.

    3. tr1ck5t3r

      Re: Why not filter by comparison?

      Set your firewall ip to block all ip address irrespective of port and protocol, and then only allow UK University's, like Manchester's for example, your time server will still get hacked, at least mine have. That tells me even the UK Uni's various systems have been hacked, unless GCHQ are injecting hacks.

      There is one point worth making though, unless you are a target, which I am due to my uncle being Keith Rose whose used to supply GCHQ with telecoms equipment and who famously broke out of Parkhurst embarrassing the Govt before further embarrassing them again by bypassing the phone security in prison to do a live radio interview, why would they hack you and expose their abilities?

      Not everyone will see these hacks, but the bugs which are backdoors in your opensource software are numerous. Log everything and hash all files, dont even trust read only filesystems!

      Have disposable internet connected servers and unencrypted packet data on all your internal main servers and log the packets, dont even trust your workstations if they connect online to encrypted websites then you can reduce the hacks to your system.

  3. Anonymous Coward
    Anonymous Coward

    Inexpensive fix

    If NTP and correct time is so important to one, buy an inexpensive satellite receiver like the Garmin GPS 18 LVC (< $100) and setup your own stratum 1 NTP server instead of syncing across the Internet. Hacking/MITMing satellite reception is a tad more difficult.

    1. short

      Re: Inexpensive fix

      Not that you should blindly trust GPS, though.

      It's just one more time source to contribute to your pool.

    2. Paul Crawford Silver badge

      Re: Inexpensive fix

      Using a cheap GPS for accurate time is not quite so trivial though, as you need to set it up to use the 1 PPS timing signal as an additional input, since the RS232 messages have a significant delay and lots of jitter (tens of ms or more). Here is one example of doing so, but I have not tried it myself:

    3. Nate Amsden Silver badge

      Re: Inexpensive fix

      So you say i can get better gps signal from a datacenter floor than LTE huh.. I don't buy that.

  4. Anonymous Coward
    Anonymous Coward

    Hacking/MITMing satellite reception is a tad more difficult.

    Drone? :)

  5. JeffyPoooh

    This guy has it covered...

    See also...


    Science as comedy. Fantastic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like