[ntp:hackers] A stop-gap authenticated time service
kurt at roeckx.be
Wed Nov 11 14:49:22 UTC 2015
On Mon, Nov 09, 2015 at 11:35:46AM +0000, Poul-Henning Kamp wrote:
> >But I'm not sure this approach scales well. Consider how expensive TLS
> >is and how many clients a single server could handle when compared to
> >the plain NTP or NTP+NTS. To me it looks like a band-aid that will
> >need to be ripped off when NTS or something else is readily available
> >in NTP.
> It is by no means ideal, but it is possible now, and it would give
> people a way to mitigate and likely neuter the naked NTP attacks.
> The load is smaller than people generally think, one million clients
> doing one HTTPS check every hour is way below the capacity of vanilla
> server hardware HW.
So that would be 277 connections per second. This seems to be
pretty close on what you can do with a single core (depending
on the cipher).
More information about the hackers