Try โ€‚โ€‰HackMD

Attacking the Network Time Protocol

Malhotra, Aanchal, et al. "Attacking the Network Time Protocol." NDSS. 2016.

https://eprint.iacr.org/2015/1020.pdf

Authors:

Talk https://www.youtube.com/watch?v=_m4rPgi-b90&feature=youtu.be
Slides https://www.cs.bu.edu/~goldbe/papers/ntpTCEschool.pdf

Why time matters

Protocol Minimum time shift
TLS Certs years
HTTP Strict Transport Security (HSTS) 1 year
DNSSEC a month
HTTP Public Key Pinning (HPKP) months
DNS Caches days
Resource Public Key Infrastructure (RPKI) days
Bitcoin hours
API authentication minutes
Kerberos minutes

Table I - Attacking various applications with NTP.

For an amusing talk by Joe Klein detailing the possible (and past) impact of timing attacks, see https://youtu.be/XogpQ-iA6Lw.

The NTP ecosystem

How does NTP work

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Source: https://en.wikipedia.org/wiki/Network_Time_Protocol

Stratum

  • 0: Timekeeping device itself, like an atomic clock, GPS or radio clock.
  • 1: Computer connected to a Stratum 0 within microseconds.
  • โ€ฆ
  • 16: Unsynchronized

Basics

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Source: https://labs.apnic.net/?p=462

Server Strat X minus 1Server Strat XClientServer Strat X minus 1Server Strat XClientT1 = system timeT2 = receive timeT3 = sent response timeReference ID = IP of Server Strat X minus 1Reference Timestamp = Time last queried Server Strat X minus 1Mode 3 message with T1Mode 4 message with T2 and T3Mode 3 message with T1Mode 4 message with T2 and T3

Round trip delay: ฮด = (T4 โˆ’ T1 ) โˆ’ (T3 โˆ’ T2 )

Timeshift between client and server assuming forward and reverse dealy are symetric: ฮธ = 1/2 ((T2 โˆ’ T1) + (T3 โˆ’ T4))

Special messages:

  • Monlist responses are a trove of information, listing all IPs that had recently sent NTP packets (of any mode) to the server.

  • Kiss-o-death (KoD) send by server to client for rate limiting.

Authentication

Nobody should be using autokey. Or from the other direction, if you are using autokey you should stop using it.

Exploring own setup

โžœ  ~ dig +short pool.ntp.org
85.90.244.165
159.69.150.81
185.207.104.70
78.47.249.55

โžœ  ~ dig +short 2.debian.pool.ntp.org
159.69.150.81
94.16.116.137
82.100.248.10
162.159.200.123

โžœ  ~ dig +short time.apple.com
time-osx.g.aaplimg.com.
17.253.54.123
17.253.52.253
17.253.52.125
17.253.54.251
17.253.54.253
โžœ  ~ timedatectl timesync-status
       Server: 82.100.248.10 (2.debian.pool.ntp.org)
Poll interval: 34min 8s (min: 32s; max 34min 8s)
         Leap: normal
      Version: 4
      Stratum: 2
    Reference: BD8DA03D
    Precision: 1us (-23)
Root distance: 34.308ms (max: 5s)
       Offset: -69.660ms
        Delay: 24.523ms
       Jitter: 29.104ms
 Packet count: 29
    Frequency: +25,316ppm

Query a specific NTP server:

โžœ  ~ sudo ntpdate 0.debian.pool.ntp.org
24 Jan 17:59:23 ntpdate[19211]: adjust time server 131.234.220.231 offset 0.030175 sec

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’
ntpd clients are also servers by default.
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

โžœ  ~ sudo ntpdate localhost            
24 Jan 17:59:43 ntpdate[19216]: no server suitable for synchronization found

Measuring the NTP ecosystem

Number of publicly reachable computers running ntpd:

a total of 13,076,290 IPs that potentially run NTP servers

Large amounts of badly outdated deployments:

Meanwhile, Table II shows that ntpd v4.1.1 (released 2001) and v4.2.6 (released 2008) are most popular; the current release v4.2.8 (released 2014) is ranked only 8 th amongst the systems we see.

Alternatives

Further Resources