[ntp:hackers] A stop-gap authenticated time service

Kurt Roeckx kurt at roeckx.be
Wed Nov 11 14:49:22 UTC 2015


On Mon, Nov 09, 2015 at 11:35:46AM +0000, Poul-Henning Kamp wrote:
> >But I'm not sure this approach scales well. Consider how expensive TLS
> >is and how many clients a single server could handle when compared to
> >the plain NTP or NTP+NTS. To me it looks like a band-aid that will
> >need to be ripped off when NTS or something else is readily available
> >in NTP.
> 
> It is by no means ideal, but it is possible now, and it would give
> people a way to mitigate and likely neuter the naked NTP attacks.
> 
> The load is smaller than people generally think, one million clients
> doing one HTTPS check every hour is way below the capacity of vanilla
> server hardware HW.

So that would be 277 connections per second.  This seems to be
pretty close on what you can do with a single core (depending
on the cipher).


Kurt



More information about the hackers mailing list