[ntp:questions] NTP internal server?

Maarten Wiltink maarten at kittensandcats.net
Mon Oct 30 09:16:53 UTC 2006

"Harlan Stenn" <stenn at ntp.isc.org> wrote in message
news:ywn9ac3eipyd.fsf at ntp1.isc.org...
>>>> In article <4544ed4b$0$331$e4fe514c at news.xs4all.nl>, "Maarten Wiltink"
<maarten at kittensandcats.net> writes:

>>> All right, there are, or were, fifteen reported exploits.  None is
>>> dated more recently than 2004 and some seem to be complaining about
>>> ten year old software distributed by companies such as Sun, Redhat,
>>> Debian, etc.
> Maarten> Still distributed right now, yes. For all those people who
> Maarten> aren't allowed to run something not backed by RFCs, and then
> Maarten> come here with questions about something called xntp. Sound
> Maarten> familiar?
> What's your point?  I don't see how what you just said applies to the
> thread.

I object to Richard's statement that old vulnerabilities are irrelevant
and no cause for concern. More than most other software, NTP is haunted
by users of old versions.

> Maarten> I will work on the assumption that there are exploits in the
> Maarten> current NTP until you _prove_ to me it's safe, and I'm not
> Maarten> holding my breath.
> Are you volunteering to perform or pay for a code audit?

Don't be silly. I'll just teach my firewall to block access from
untrusted sources to my NTP server, as I do for every service on every

Richard says not to worry, there are no recent vulnerabilities known.
I say never to stop worrying, there are too many unknowns.

Maarten Wiltink

More information about the questions mailing list