[ntp:questions] NTP internal server?

Richard B. Gilbert rgilbert88 at comcast.net
Sun Oct 29 19:49:13 UTC 2006


Maarten Wiltink wrote:

> "Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message
> news:_eWdna3k2Zfvpd_YnZ2dnUVZ_uqdnZ2d at comcast.com...
> 
>>Maarten Wiltink wrote:
>>
>>>"Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message
>>>news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d at comcast.com...
> 
> 
>>>>As far as anyone here knows there are no "exploits" associated with
>>>>NTP.
> 
> 
>>>After a short look-around on SecurityFocus, I would like to exclude
>>>myself from that 'anyone' group.
> 
> 
>>All right, there are, or were, fifteen reported exploits.  None is dated
>>more recently than 2004 and some seem to be complaining about ten year
>>old software distributed by companies such as Sun, Redhat, Debian, etc.
> 
> 
> Still distributed right now, yes. For all those people who aren't allowed
> to run something not backed by RFCs, and then come here with questions
> about something called xntp. Sound familiar?
> 
> 
> [...]
> 
>>I'd say that the proper response is not to forbid the use of the NTP
>>protocol but rather to avoid running defective implementations thereof!
> 
> 
> That would be nice. However, letting your guard down is _never_ a
> secure response. I will work on the assumption that there are exploits
> in the current NTP until you _prove_ to me it's safe, and I'm not
> holding my breath.

If you want "proof" that ANY piece of software is free from bugs or 
exploits, you may have a very long wait!

Ever wonder why half the world failed to handle the last leap second 
properly???   A large number of servers were running software with a bug.




More information about the questions mailing list