Abstract
For decades, the Network Time Protocol (NTP) has been used to synchronize computer clocks over untrusted network paths. This work takes a new look at the security of NTP’s datagram protocol. We argue that NTP’s datagram protocol in RFC5905 is both underspecified and flawed. The NTP specifications do not sufficiently respect (1) the conflicting security requirements of different NTP modes, and (2) the mechanism NTP uses to prevent off-path attacks. A further problem is that (3) NTP’s control-query interface reveals sensitive information that can be exploited in off-path attacks. We exploit these problems in several attacks that remote attackers can use to maliciously alter a target’s time. We use network scans to find millions of IPs that are vulnerable to our attacks. Finally, we move beyond identifying attacks by developing a cryptographic model and using it to prove the security of a new backwards-compatible client/server protocol for NTP.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This follows because time-synchronization protocols use information about the delay on the network path in order to accurately synchronize clocks (Sect. 2). A client cannot distinguish the delay on the forward path (from client to server) from the delay on the reverse path (from server to client). As such, the client simply takes the total round trip time \(\delta \) (forward path + reverse path), and assumes that delays on each path are symmetric. The MiTM can exploit this by making delays asymmetric (e.g., causing the delay on the forward path to be much longer than delay on the reverse path), thus biasing time synchronization.
- 2.
Note that ntpd does not randomize the UDP source port to create an additional nonce; instead, all NTP packets have UDP source port 123.
- 3.
Indeed, suppose we did update the xmt variable even after receipt of a bogus packet that fails TEST2, with the bogus origin timestamp in the received packet. In this case, we would be vulnerable to a chosen-origin-timestamp attack, where an attacker injects a first packet with an origin timestamp of the their choosing. The injected packet fails TEST2 and is dropped, but its origin timestamp gets written to the target’s local xmt variable. Then, the attacker injects another packet with this same origin timestamp, which passes TEST2 and is accepted by the target.
- 4.
As observed by [19], hosts respond to unauthenticated mode 3 queries from arbitrary IP addresses by default. The mode 4 response (Fig. 4) has a reference ID field that reveals the IPv4 address of the responding host’s time server. Thus, our off-path attacker sends its target a (legitimate) mode 3 query, and receives in response a mode 4 packet, and learns the target’s server from its reference ID. Moreover, if the attacker’s shenanigans cause the target to synchronize to a different server, the attacker can just learn the IP of the new server by sending the target a new mode 3 query. The attacker can then spoof packets from the new server as well.
- 5.
To avoid being blacklisted, we refrained from sending monlist queries.
- 6.
We compute the offset \(\theta \) using Eq. (2), with \(T_1\), \(T_2\), \(T_3\) from the packet timestamps and \(T_4\) from the frame arrival time of the mode 4 response packet .
- 7.
See Line 1094 in ntp_proto.c in https://github.com/ntp-project/ntp/commit/fb8fa5f6330a7583ec74fba2dfb7b6bf62bdd246.
- 8.
- 9.
However, it is not always true that \(k\ge 4\). In the full version we present an ntpd bug (CVE-2016-7433) that allows for \(k\,=\,1\) upon reboot.
References
https://github.com/mlichvar/chrony/blob/master/ntp_core.c#L908
https://github.com/ntp-project/ntp/blob/1a399a03e674da08cfce2cdb847bfb65d65df237/libntp/ntp_random.c
https://github.com/philpennock/openntpd/blob/master/client.c#L174
The NIST authenticated NTP service (2010). http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm. Accessed July 2015
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS, pp. 136–145. IEEE (2001)
Clayton, R., Murdoch, S.J., Watson, R.N.M.: Ignoring the Great Firewall of China. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 20–35. Springer, Heidelberg (2006). https://doi.org/10.1007/11957454_2
corbixgwelt. Timejacking & bitcoin: The global time agreement puzzle (culubas blog) (2011). http://culubas.blogspot.com/2011/05/timejacking-bitcoin_802.html. Accessed Aug 2015
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of the 2014 Internet Measurement Conference, pp. 435–448. ACM (2014)
Dowling, B., Stebila, D., Zaverucha, G.: Authenticated network time synchronization. In: 25th USENIX Security Symposium (USENIX Security 2016), Austin, TX, pp. 823–840. USENIX Association, August 2016
Duan, H., Weaver, N., Zhao, Z., Hu, M., Liang, J., Jiang, J., Li, K., Paxson, V.: Hold-on: protecting against on-path DNS poisoning. In: Proceedings of Workshop on Securing and Trusting Internet Names, SATIN (2012)
Durairajan, R., Mani, S.K., Sommers, J., Barford, P.: Time’s forgotten: using NTP to understand internet latency. In: HotNets 2015, November 2015
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security, pp. 605–620. Citeseer (2013)
Haberman, B., Mills, D.: RFC 5906: Network Time Protocol Version 4: Autokey Specification. Internet Engineering Task Force (IETF) (2010). https://tools.ietf.org/html/rfc5906
Itkin, E., Wool, A.: A security analysis and revised security extension for the precision time protocol. CoRR, abs/1603.00707 (2016)
Klein, J.: Becoming a time lord - implications of attacking time sources. Shmoocon Firetalks 2013 (2013). https://youtu.be/XogpQ-iA6Lw
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., Rossow, C.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_28
Malhotra, A., Cohen, I.E., Brakke, E., Goldberg, S.: Attacking the network time protocol. In: NDSS 2016, February 2016
Malhotra, A., Goldberg, S.: Attacking NTP’s authenticated broadcast mode. In: SIGCOMM Computer Communication Review, April 2016
Malhotra, A., Goldberg, S.: Message Authentication Codes for the Network Time Protocol. Internet Engineering Task Force (IETF), November 2016. https://datatracker.ietf.org/doc/draft-ietf-ntp-mac/
Mauch, J.: openntpproject: NTP Scanning Project. http://openntpproject.org/
Mills, D.: RFC 1305: Network Time Protocol (Version 3) Specification, Implementation and Analysis. Internet Engineering Task Force (IETF) (1992). http://tools.ietf.org/html/rfc1305
Mills, D., Haberman, B.: draft-haberman-ntpwg-mode-6-cmds-00: Control Messages Protocol for Use with Network Time Protocol Version 4. Internet Engineering Task Force (IETF), May 2016. https://datatracker.ietf.org/doc/draft-haberman-ntpwg-mode-6-cmds/
Mills, D., Martin, J., Burbank, J., Kasch, W.: RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification. Internet Engineering Task Force (IETF) (2010). http://tools.ietf.org/html/rfc5905
Mills, D.L.: Computer Network Time Synchronization, 2nd edn. CRC Press, Boca Raton (2011)
Minar, N.: A survey of the NTP network (1999)
Mizrahi, T.: A game theoretic analysis of delay attacks against time synchronization protocols. In: Precision Clock Synchronization for Measurement Control and Communication (ISPCS), pp. 1–6. IEEE (2012)
Mizrahi, T.: RFC 7384 (Informational): Security Requirements of Time Protocols in Packet Switched Networks. Internet Engineering Task Force (IETF) (2012). http://tools.ietf.org/html/rfc7384
Moreira, N., Lazaro, J., Jimenez, J., Idirin, M., Astarloa, A.: Security mechanisms to protect IEEE 1588 synchronization: state of the art and trends. In: 2015 IEEE International Symposium on Precision Clock Synchronization for Measurement, Control, and Communication (ISPCS), pp. 115–120. IEEE (2015)
Murta, C.D., Torres Jr. P.R., Mohapatra, P.: Characterizing quality of time and topology in a time synchronization network. In: GLOBECOM (2006)
Röttger, S.: Analysis of the ntp autokey procedures. Master’s thesis, Technische Universitt Braunschweig (2012)
Selvi, J.: Bypassing HTTP strict transport security. In: Black Hat Europe (2014)
Selvi, J.: Breaking SSL using time synchronisation attacks. In: DEFCON’23 (2015)
Sherman, J.A., Levine, J.: Usage analysis of the NIST internet time service. J. Res. Natl. Inst. Stand. Technol. 121, 33 (2016)
Sibold, D., Roettger, S.: draft-ietf-ntp-network-time-security: Network Time Security. Internet Engineering Task Force (IETF) (2015). http://tools.ietf.org/html/draft-ietf-ntp-network-time-security-08
Sibold, D., Roettger, S., Teichel, K.: draft-ietf-ntp-network-time-security-10: Network Time Security. Internet Engineering Task Force (IETF) (2015). https://tools.ietf.org/html/draft-ietf-ntp-network-time-security-10
Stenn, H.: Securing the network time protocol. ACM Queue 13(1), 20–25 (2015). Communications of the ACM
Stenn, H.: Security notice, 27 April 2016. http://support.ntp.org/bin/view/Main/SecurityNotice
Weaver, N., Sommer, R., Paxson, V.: Detecting forged TCP reset packets. In: NDSS (2009)
Acknowledgements
We are grateful to Jared Mauch for access to the openNTPproject data. We thank the Network Time Foundation and the maintainers of chrony and NTPsec for patching vulnerabilities described here. We also thank Majdi Abbas, Stephen Gray, Ran Canetti, Ethan Heilman, Yossi Gilad, Leonid Reyzin, and Matt Street for useful discussions. This work was supported by the MACS project under NSF Frontier grant CNS-1414119, by NSF grant 1350733, by a Sloan Research Fellowship, and by gifts from Cisco.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Malhotra, A., Van Gundy, M., Varia, M., Kennedy, H., Gardner, J., Goldberg, S. (2017). The Security of NTP’s Datagram Protocol. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham. https://doi.org/10.1007/978-3-319-70972-7_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-70972-7_23
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70971-0
Online ISBN: 978-3-319-70972-7
eBook Packages: Computer ScienceComputer Science (R0)