# Attacking the Network Time Protocol
> Malhotra, Aanchal, et al. "Attacking the Network Time Protocol." NDSS. 2016.
https://eprint.iacr.org/2015/1020.pdf
Authors:
- Aanchal Malhotra
- Isaac E. Cohen
- Erik Brakke
- [Sharon Goldberg](https://www.cs.bu.edu/~goldbe/)
Talk https://www.youtube.com/watch?v=_m4rPgi-b90&feature=youtu.be
Slides https://www.cs.bu.edu/~goldbe/papers/ntpTCEschool.pdf
## Why time matters
| Protocol | Minimum time shift |
| ----------------------------------------- | -------------------------------------------------------------------------- |
| TLS Certs | years |
| HTTP Strict Transport Security (HSTS) | 1 year |
| DNSSEC | a month |
| HTTP Public Key Pinning (HPKP) | months |
| DNS Caches | days |
| Resource Public Key Infrastructure (RPKI) | days |
| Bitcoin | [hours](https://culubas.blogspot.com/2011/05/timejacking-bitcoin_802.html) |
| API authentication | minutes |
| Kerberos | minutes |
Table I - Attacking various applications with NTP.
For an amusing talk by Joe Klein detailing the possible (and past) impact of timing attacks, see https://youtu.be/XogpQ-iA6Lw.
## The NTP ecosystem
### How does NTP work
![](https://i.imgur.com/AafLr5O.png)
Source: https://en.wikipedia.org/wiki/Network_Time_Protocol
#### Stratum
- 0: Timekeeping device itself, like an atomic clock, GPS or radio clock.
- 1: Computer connected to a Stratum 0 within microseconds.
- ...
- 16: Unsynchronized
#### Basics
![](https://i.imgur.com/fU4JC9g.png)
Source: https://labs.apnic.net/?p=462
```mermaid
sequenceDiagram
participant Client
participant Server Strat X
participant Server Strat X minus 1
Server Strat X->>Server Strat X minus 1: Mode 3 message with T1
Server Strat X minus 1->>Server Strat X: Mode 4 message with T2 and T3
Note over Client: T1 = system time
Client->>Server Strat X: Mode 3 message with T1
Note over Server Strat X: T2 = receive time
Note over Server Strat X: T3 = sent response time
Note over Server Strat X: Reference ID = IP of Server Strat X minus 1
Note over Server Strat X: Reference Timestamp = Time last queried Server Strat X minus 1
Server Strat X->>Client: Mode 4 message with T2 and T3
```
Round trip delay: `δ = (T4 − T1 ) − (T3 − T2 )`
Timeshift between client and server assuming forward and reverse dealy are symetric: `θ = 1/2 ((T2 − T1) + (T3 − T4))`
Special messages:
- > Monlist responses are a trove of information, listing all IPs that had recently sent NTP packets (of any mode) to the server.
- Kiss-o-death (KoD) send by server to client for rate limiting.
#### Authentication
> Nobody should be using autokey. Or from the other direction, if you are using autokey you should stop using it.
### Exploring own setup
```
➜ ~ dig +short pool.ntp.org
85.90.244.165
159.69.150.81
185.207.104.70
78.47.249.55
➜ ~ dig +short 2.debian.pool.ntp.org
159.69.150.81
94.16.116.137
82.100.248.10
162.159.200.123
➜ ~ dig +short time.apple.com
time-osx.g.aaplimg.com.
17.253.54.123
17.253.52.253
17.253.52.125
17.253.54.251
17.253.54.253
```
```
➜ ~ timedatectl timesync-status
Server: 82.100.248.10 (2.debian.pool.ntp.org)
Poll interval: 34min 8s (min: 32s; max 34min 8s)
Leap: normal
Version: 4
Stratum: 2
Reference: BD8DA03D
Precision: 1us (-23)
Root distance: 34.308ms (max: 5s)
Offset: -69.660ms
Delay: 24.523ms
Jitter: 29.104ms
Packet count: 29
Frequency: +25,316ppm
```
Query a specific NTP server:
```
➜ ~ sudo ntpdate 0.debian.pool.ntp.org
24 Jan 17:59:23 ntpdate[19211]: adjust time server 131.234.220.231 offset 0.030175 sec
```
:warning: ntpd clients are also servers by default. :warning:
```
➜ ~ sudo ntpdate localhost
24 Jan 17:59:43 ntpdate[19216]: no server suitable for synchronization found
```
### Measuring the NTP ecosystem
Number of publicly reachable computers running ntpd:
> a total of 13,076,290 IPs that potentially run NTP servers
Large amounts of badly outdated deployments:
> Meanwhile, Table II shows that ntpd v4.1.1 (released 2001) and v4.2.6 (released 2008) are most popular; the current release v4.2.8 (released 2014) is ranked only 8 th amongst the systems we see.
# Alternatives
- Network Time Security (NTS): https://www.internetsociety.org/blog/2020/08/everything-you-need-to-know-about-network-time-security/
- PTP
- Why is PTP so accurate: https://blog.meinbergglobal.com/2013/09/14/ieee-1588-accurate/
- NTP vs PTP: https://blog.meinbergglobal.com/2013/11/22/ntp-vs-ptp-network-timing-smackdown/
- Roughtime: https://blog.cloudflare.com/roughtime/
# Further Resources
- Zero origin timestamp attack: https://lwn.net/Articles/673451/