We get a time check twice a day and will adjust our clocks at most 5 secs per time or
a total of 10 seconds per day. Additionally each time adjustment is sysloged and emailed
to our admins. That kind of takes care of the problems that can crop up.
Stan
From firewalls-owner @
GreatCircle .
COM Wed Apr 12 01:38:36 1995
Date: Wed, 12 Apr 1995 09:52:53 +0200
From: F .
Wetzels @
amc .
uva .
nl (Frank Wetzels)
Subject: Re: NTP and SATAN
To: firewalls @
greatcircle .
com
X-Envelope-To: firewalls @
greatcircle .
com
Content-Transfer-Encoding: 7BIT
Content-Length: 782
X-Sun-Charset: US-ASCII
Sender: firewalls-owner @
GreatCircle .
COM
Precedence: bulk
fpmw> There have been some rumors making the rounds on the net recently that
fpmw> the Network Time Protocol, NTP, has a vulnerability to one of the
fpmw> tests that SATAN performs. The rumor states that one of SATAN's tests
fpmw> will cause the time to suddenly shift by several years.
fpmw>
fpmw> Real NTP daemons, including cisco's implementation and the freely available
fpmw> Unix implementation "xntpd" do *not* have this vulnerability, due to extensive
fpmw> format checking of incoming packets, and due to the statistical selection
fpmw> mechanisms used (a packet with wildly incorrect time would be discarded
fpmw> as an outlier).
But, how about sending packets that shifts time a little bit. After a number
of packets, the time could be changed considerably?
- Frank
|
|
