Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NTP servers

  • From: Sean Donelan
  • Date: Sun Jun 08 00:17:47 2003

On Sat, 7 Jun 2003, Robert Boyle wrote:
> We run NTP client and server on all of our customer touching and core
> routers and we just tell them to make their WAN gateway their NTP server.
> This works well for us and we need to have correct and synchronized time on
> all of our routers for logging and debugging purposes anyway. The processor
> penalty seems to be very minimal (if anything) to respond to NTP requests
> and seems to make sense to further the load distribution as much as
> possible. Do others do this? does anyone see a reason it shouldn't be done
> this way? It just seemed to make sense to me.

Already published in other forums.

As a general principle, having an open UDP port exposes your network
infrastructure to either something like a NTP worm (if one was written)
or a great attack amplifier by spoofing NTP queries from a victim's IP
address.  You can search Google for other NTP specific security issues.

Unfortunately, ISPs need to supply services to customers and every
service is potentially vulnerable to some type of attack.  Even an
isolated network such as the proposed GOVNET is vulnerable to certain
types of attacks.

ISPs provide time services in a few common ways
    1. They don't provide time service, use a "public" time server
    2. They provide time service from/to only selected NTP servers
    3. They provide time service from router interface to only the direct
	customer network
    4. They provide time service to anyone

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.