TL;DR Most NTP networks are relying on GPS versus a high precision on-site time keeping device. Break GPS, and you break timekeeping for a wide swath of the worldwide NTP pool. But thems the breaks when you can get access to atomic clocks in space (each GPS satellite carries an atomic clock on board) just by sticking an antenna out the window.
If you require precision time for critical business operations (financial transactions, global database operations), you should be running a precision time source locally at your datacenter; for under $20 an attacker could deny you GPS timing.
If anyone is wondering: yes, you can own your very own atomic clock for a "reasonable" price! I encourage everyone to read [0] where a father takes his kids and a few atomic clocks up a mountain and back down. By looking at the clock drift due to changes in gravity, he was able to observe relativity!
> If anyone is wondering: yes, you can own your very own atomic clock for a "reasonable" price!
Just to clarify, the clocks used to demonstrate gravitational time dilation were on the order of $10,000 (or more, e.g., [0]). But one can find rubidium standards online for a few hundred dollars.
To add to this, you can buy GPS time source dongles really cheap and in Linux it's not too hard to run one as a parallel/backup time source.
Especially when using distributed databases where write priority is determined by timestamp, someone wrecking havoc with your time source could bring down the database
Thanks, but the articles you link don't really describe what I was asking about (and the "TL;DR" doesn't appear to be actually derived from those in an obvious way). I know about the strata and the use of GPS as stratum 0 clocks.
I was interested in more details about why GPS is dangerous (i.e., more about "breaking GPS"). I get that a cheap jamming attack can disrupt a single NTP server/location. But it isn't obvious that that leads to widespread use of GPS being a bad thing for NTP pools. Because it would require a widespread (near-simultaneous?) jamming for several hundred physical locations to bring down a large chunk of the pool in that way. Of course, somehow corrupting the global GPS signal would be an issue, but how would that happen?
There was an interesting presentation at Kiwicon (a New Zealand security conference) the other day; someone demonstrated mimicing a GPS radio to trigger NTP drift in servers. The upshot was that it wasn't difficult, and gave you an avenue to replaying TOTP/2fa tokens...
Were they properly setup? Generally you want a local time source (GPS), the local CPU clock, and of course anyone you peer with (ideally 2 other peers on site) and of course your servers (ideally 3 as separate as possible from each other).
So the way it's supposed to work is that NTP models the error in all the above services and noticed when a source deviates. So if someone screws with the local GPS you should ignore it, and do the best you can with the remaining sources.
If you trigger NTP drift with a single source something is wrong with the setup.
A side-effect of a 4+ satellite fix is both extremely accurate and extremely precise computation of current time (in addition to location). (GPS sats broadcast time, receivers triangulate.) Some high-quality receivers (Trimble, probably others) attempt to count the number of pseudowavelengths back to the satellite, including relativistic, gravimetric and atmospheric effects. http://www.trimble.com/gps_tutorial/sub_phases.aspx
Thanks, but I was asking why heavy use of GPS in NTP pools was a bad thing, rather than how GPS can be used to determine a reference time (I'm aware of the use of GPS as a stratum 0 clock).
http://www.ntp.org/ntpfaq/NTP-s-refclk.htm
TL;DR Most NTP networks are relying on GPS versus a high precision on-site time keeping device. Break GPS, and you break timekeeping for a wide swath of the worldwide NTP pool. But thems the breaks when you can get access to atomic clocks in space (each GPS satellite carries an atomic clock on board) just by sticking an antenna out the window.
If you require precision time for critical business operations (financial transactions, global database operations), you should be running a precision time source locally at your datacenter; for under $20 an attacker could deny you GPS timing.