Skip to main content
SpringerLink
Log in

The Security of NTP’s Datagram Protocol

  • Conference paper
Financial Cryptography and Data Security (FC 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10322))

Included in the following conference series:

Abstract

For decades, the Network Time Protocol (NTP) has been used to synchronize computer clocks over untrusted network paths. This work takes a new look at the security of NTP’s datagram protocol. We argue that NTP’s datagram protocol in RFC5905 is both underspecified and flawed. The NTP specifications do not sufficiently respect (1) the conflicting security requirements of different NTP modes, and (2) the mechanism NTP uses to prevent off-path attacks. A further problem is that (3) NTP’s control-query interface reveals sensitive information that can be exploited in off-path attacks. We exploit these problems in several attacks that remote attackers can use to maliciously alter a target’s time. We use network scans to find millions of IPs that are vulnerable to our attacks. Finally, we move beyond identifying attacks by developing a cryptographic model and using it to prove the security of a new backwards-compatible client/server protocol for NTP.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This follows because time-synchronization protocols use information about the delay on the network path in order to accurately synchronize clocks (Sect. 2). A client cannot distinguish the delay on the forward path (from client to server) from the delay on the reverse path (from server to client). As such, the client simply takes the total round trip time \(\delta \) (forward path + reverse path), and assumes that delays on each path are symmetric. The MiTM can exploit this by making delays asymmetric (e.g., causing the delay on the forward path to be much longer than delay on the reverse path), thus biasing time synchronization.

  2. 2.

    Note that ntpd does not randomize the UDP source port to create an additional nonce; instead, all NTP packets have UDP source port 123.

  3. 3.

    Indeed, suppose we did update the xmt variable even after receipt of a bogus packet that fails TEST2, with the bogus origin timestamp in the received packet. In this case, we would be vulnerable to a chosen-origin-timestamp attack, where an attacker injects a first packet with an origin timestamp of the their choosing. The injected packet fails TEST2 and is dropped, but its origin timestamp gets written to the target’s local xmt variable. Then, the attacker injects another packet with this same origin timestamp, which passes TEST2 and is accepted by the target.

  4. 4.

    As observed by [19], hosts respond to unauthenticated mode 3 queries from arbitrary IP addresses by default. The mode 4 response (Fig. 4) has a reference ID field that reveals the IPv4 address of the responding host’s time server. Thus, our off-path attacker sends its target a (legitimate) mode 3 query, and receives in response a mode 4 packet, and learns the target’s server from its reference ID. Moreover, if the attacker’s shenanigans cause the target to synchronize to a different server, the attacker can just learn the IP of the new server by sending the target a new mode 3 query. The attacker can then spoof packets from the new server as well.

  5. 5.

    To avoid being blacklisted, we refrained from sending monlist queries.

  6. 6.

    We compute the offset \(\theta \) using Eq. (2), with \(T_1\), \(T_2\), \(T_3\) from the packet timestamps and \(T_4\) from the frame arrival time of the mode 4 response packet .

  7. 7.

    See Line 1094 in ntp_proto.c in https://github.com/ntp-project/ntp/commit/fb8fa5f6330a7583ec74fba2dfb7b6bf62bdd246.

  8. 8.

    RFC5905 specifies MD5(key||message) for authenticating NTP packets, but this is not a secure MAC [6]. We are currently in the processes of standardizing a new secure MAC for NTP [21].

  9. 9.

    However, it is not always true that \(k\ge 4\). In the full version we present an ntpd bug (CVE-2016-7433) that allows for \(k\,=\,1\) upon reboot.

References

  1. https://github.com/dfoxfranke/nts

  2. https://github.com/mlichvar/chrony/blob/master/ntp_core.c#L908

  3. https://github.com/ntp-project/ntp/blob/1a399a03e674da08cfce2cdb847bfb65d65df237/libntp/ntp_random.c

  4. https://github.com/philpennock/openntpd/blob/master/client.c#L174

  5. The NIST authenticated NTP service (2010). http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm. Accessed July 2015

  6. Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1

    Chapter  Google Scholar 

  7. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS, pp. 136–145. IEEE (2001)

    Google Scholar 

  8. Clayton, R., Murdoch, S.J., Watson, R.N.M.: Ignoring the Great Firewall of China. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 20–35. Springer, Heidelberg (2006). https://doi.org/10.1007/11957454_2

    Chapter  Google Scholar 

  9. corbixgwelt. Timejacking & bitcoin: The global time agreement puzzle (culubas blog) (2011). http://culubas.blogspot.com/2011/05/timejacking-bitcoin_802.html. Accessed Aug 2015

  10. Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of the 2014 Internet Measurement Conference, pp. 435–448. ACM (2014)

    Google Scholar 

  11. Dowling, B., Stebila, D., Zaverucha, G.: Authenticated network time synchronization. In: 25th USENIX Security Symposium (USENIX Security 2016), Austin, TX, pp. 823–840. USENIX Association, August 2016

    Google Scholar 

  12. Duan, H., Weaver, N., Zhao, Z., Hu, M., Liang, J., Jiang, J., Li, K., Paxson, V.: Hold-on: protecting against on-path DNS poisoning. In: Proceedings of Workshop on Securing and Trusting Internet Names, SATIN (2012)

    Google Scholar 

  13. Durairajan, R., Mani, S.K., Sommers, J., Barford, P.: Time’s forgotten: using NTP to understand internet latency. In: HotNets 2015, November 2015

    Google Scholar 

  14. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security, pp. 605–620. Citeseer (2013)

    Google Scholar 

  15. Haberman, B., Mills, D.: RFC 5906: Network Time Protocol Version 4: Autokey Specification. Internet Engineering Task Force (IETF) (2010). https://tools.ietf.org/html/rfc5906

  16. Itkin, E., Wool, A.: A security analysis and revised security extension for the precision time protocol. CoRR, abs/1603.00707 (2016)

    Google Scholar 

  17. Klein, J.: Becoming a time lord - implications of attacking time sources. Shmoocon Firetalks 2013 (2013). https://youtu.be/XogpQ-iA6Lw

  18. Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., Rossow, C.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_28

    Chapter  Google Scholar 

  19. Malhotra, A., Cohen, I.E., Brakke, E., Goldberg, S.: Attacking the network time protocol. In: NDSS 2016, February 2016

    Google Scholar 

  20. Malhotra, A., Goldberg, S.: Attacking NTP’s authenticated broadcast mode. In: SIGCOMM Computer Communication Review, April 2016

    Google Scholar 

  21. Malhotra, A., Goldberg, S.: Message Authentication Codes for the Network Time Protocol. Internet Engineering Task Force (IETF), November 2016. https://datatracker.ietf.org/doc/draft-ietf-ntp-mac/

  22. Mauch, J.: openntpproject: NTP Scanning Project. http://openntpproject.org/

  23. Mills, D.: RFC 1305: Network Time Protocol (Version 3) Specification, Implementation and Analysis. Internet Engineering Task Force (IETF) (1992). http://tools.ietf.org/html/rfc1305

  24. Mills, D., Haberman, B.: draft-haberman-ntpwg-mode-6-cmds-00: Control Messages Protocol for Use with Network Time Protocol Version 4. Internet Engineering Task Force (IETF), May 2016. https://datatracker.ietf.org/doc/draft-haberman-ntpwg-mode-6-cmds/

  25. Mills, D., Martin, J., Burbank, J., Kasch, W.: RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification. Internet Engineering Task Force (IETF) (2010). http://tools.ietf.org/html/rfc5905

  26. Mills, D.L.: Computer Network Time Synchronization, 2nd edn. CRC Press, Boca Raton (2011)

    MATH  Google Scholar 

  27. Minar, N.: A survey of the NTP network (1999)

    Google Scholar 

  28. Mizrahi, T.: A game theoretic analysis of delay attacks against time synchronization protocols. In: Precision Clock Synchronization for Measurement Control and Communication (ISPCS), pp. 1–6. IEEE (2012)

    Google Scholar 

  29. Mizrahi, T.: RFC 7384 (Informational): Security Requirements of Time Protocols in Packet Switched Networks. Internet Engineering Task Force (IETF) (2012). http://tools.ietf.org/html/rfc7384

  30. Moreira, N., Lazaro, J., Jimenez, J., Idirin, M., Astarloa, A.: Security mechanisms to protect IEEE 1588 synchronization: state of the art and trends. In: 2015 IEEE International Symposium on Precision Clock Synchronization for Measurement, Control, and Communication (ISPCS), pp. 115–120. IEEE (2015)

    Google Scholar 

  31. Murta, C.D., Torres Jr. P.R., Mohapatra, P.: Characterizing quality of time and topology in a time synchronization network. In: GLOBECOM (2006)

    Google Scholar 

  32. Röttger, S.: Analysis of the ntp autokey procedures. Master’s thesis, Technische Universitt Braunschweig (2012)

    Google Scholar 

  33. Selvi, J.: Bypassing HTTP strict transport security. In: Black Hat Europe (2014)

    Google Scholar 

  34. Selvi, J.: Breaking SSL using time synchronisation attacks. In: DEFCON’23 (2015)

    Google Scholar 

  35. Sherman, J.A., Levine, J.: Usage analysis of the NIST internet time service. J. Res. Natl. Inst. Stand. Technol. 121, 33 (2016)

    Article  Google Scholar 

  36. Sibold, D., Roettger, S.: draft-ietf-ntp-network-time-security: Network Time Security. Internet Engineering Task Force (IETF) (2015). http://tools.ietf.org/html/draft-ietf-ntp-network-time-security-08

  37. Sibold, D., Roettger, S., Teichel, K.: draft-ietf-ntp-network-time-security-10: Network Time Security. Internet Engineering Task Force (IETF) (2015). https://tools.ietf.org/html/draft-ietf-ntp-network-time-security-10

  38. Stenn, H.: Securing the network time protocol. ACM Queue 13(1), 20–25 (2015). Communications of the ACM

    Article  Google Scholar 

  39. Stenn, H.: Security notice, 27 April 2016. http://support.ntp.org/bin/view/Main/SecurityNotice

  40. Weaver, N., Sommer, R., Paxson, V.: Detecting forged TCP reset packets. In: NDSS (2009)

    Google Scholar 

Download references

Acknowledgements

We are grateful to Jared Mauch for access to the openNTPproject data. We thank the Network Time Foundation and the maintainers of chrony and NTPsec for patching vulnerabilities described here. We also thank Majdi Abbas, Stephen Gray, Ran Canetti, Ethan Heilman, Yossi Gilad, Leonid Reyzin, and Matt Street for useful discussions. This work was supported by the MACS project under NSF Frontier grant CNS-1414119, by NSF grant 1350733, by a Sloan Research Fellowship, and by gifts from Cisco.

Author information

Authors and Affiliations

  1. Boston University, Boston, USA

    Aanchal Malhotra, Mayank Varia, Haydn Kennedy & Sharon Goldberg

  2. Cisco (ASIG), San Jose, USA

    Matthew Van Gundy & Jonathan Gardner

Authors
  1. Aanchal Malhotra
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Matthew Van Gundy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mayank Varia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Haydn Kennedy
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jonathan Gardner
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sharon Goldberg
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aanchal Malhotra .

Editor information

Editors and Affiliations

  1. University of Edinburgh, Edinburgh, UK

    Aggelos Kiayias

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Malhotra, A., Van Gundy, M., Varia, M., Kennedy, H., Gardner, J., Goldberg, S. (2017). The Security of NTP’s Datagram Protocol. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham. https://doi.org/10.1007/978-3-319-70972-7_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-70972-7_23

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70971-0

  • Online ISBN: 978-3-319-70972-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation