Outdated Versions of NTP Leaving Users Vulnerable - NTP v3

[bobpf]

It looks like your still using v3 protocol that has known vulnerabilities and is subject to be using in DDos attacks. Version 4 has been around since 2010 and earlier. Is this on your radar and if so when do you plan on upgrading the version/protocol used?

https://www.nwtime.org/outdated_versions_of_ntp_leaving_users_vulnerable/

[bobpf]

Usage of NTPv3 protocol has come up on a security review. Can you comment on its usage and the possibility of getting v4 implemented as the primary protocol or as an configuration option?

[efeint01]

Hello @bobpf . So what do you prefer to use? The library is really old and questions still remain unanswered. This is status broken

[bobpf]

Switching the protocol to us NTP v4 would be preferable.

[efeint01]

Thank you. I also using Android Secure Timer which is so good library for this, and I never see errors.

[bobpf]

How does Secure Timer related to NTP v4?

[kaushikgopal]

@bobpf : first priority is probably landing the move to coroutines and improving the algorithm further. there's no immediate plan on moving to NTP v4 but I'm curious to read up more to get a better sense of the effort (as we gradually work on the other PRs).

do you have other helpful documentation/links that are a little more developer focused for me to read up on?

[metatron1973]

System rack with fraud please start forensic audit