One of the main problems in tying all production time management operations to a single primary server is the potential for crackers to either spoof a legitimate primary server and pretend to be the primary server or to undertake a denial of service attack. Fortunately, NTP provides authentication procedures to ensure that only authorized servers and clients can access their peers and/or the primary server. In addition, the use of multiple authoritative sources, including a backup external hardware clock, can remove some of the problems associated with denial of service attacks—after all, if an external network port is being blocked by an attacker or group of attackers, the local standby can always be used.
NTP security is ultimately based on trust relationships that are developed as part of an overall network design. In addition, a number of innovations in the NTP authentication system make it very difficult for a cracker to spoof a primary server. For example, the original timestamp is equivalent to a one-time pad, although if the cracker has knowledge of previous timestamps, it may be possible (with sufficient CPU power) to successfully spoof a server. However, given the error estimation procedures and methods for clients to select the most accurate server, it’s unlikely that an attack would succeed.