# Attacking the Network Time Protocol > Malhotra, Aanchal, et al. "Attacking the Network Time Protocol." NDSS. 2016. https://eprint.iacr.org/2015/1020.pdf Authors: - Aanchal Malhotra - Isaac E. Cohen - Erik Brakke - [Sharon Goldberg](https://www.cs.bu.edu/~goldbe/) Talk https://www.youtube.com/watch?v=_m4rPgi-b90&feature=youtu.be Slides https://www.cs.bu.edu/~goldbe/papers/ntpTCEschool.pdf ## Why time matters | Protocol | Minimum time shift | | ----------------------------------------- | -------------------------------------------------------------------------- | | TLS Certs | years | | HTTP Strict Transport Security (HSTS) | 1 year | | DNSSEC | a month | | HTTP Public Key Pinning (HPKP) | months | | DNS Caches | days | | Resource Public Key Infrastructure (RPKI) | days | | Bitcoin | [hours](https://culubas.blogspot.com/2011/05/timejacking-bitcoin_802.html) | | API authentication | minutes | | Kerberos | minutes | Table I - Attacking various applications with NTP. For an amusing talk by Joe Klein detailing the possible (and past) impact of timing attacks, see https://youtu.be/XogpQ-iA6Lw. ## The NTP ecosystem ### How does NTP work  Source: https://en.wikipedia.org/wiki/Network_Time_Protocol #### Stratum - 0: Timekeeping device itself, like an atomic clock, GPS or radio clock. - 1: Computer connected to a Stratum 0 within microseconds. - ... - 16: Unsynchronized #### Basics  Source: https://labs.apnic.net/?p=462 ```mermaid sequenceDiagram participant Client participant Server Strat X participant Server Strat X minus 1 Server Strat X->>Server Strat X minus 1: Mode 3 message with T1 Server Strat X minus 1->>Server Strat X: Mode 4 message with T2 and T3 Note over Client: T1 = system time Client->>Server Strat X: Mode 3 message with T1 Note over Server Strat X: T2 = receive time Note over Server Strat X: T3 = sent response time Note over Server Strat X: Reference ID = IP of Server Strat X minus 1 Note over Server Strat X: Reference Timestamp = Time last queried Server Strat X minus 1 Server Strat X->>Client: Mode 4 message with T2 and T3 ``` Round trip delay: `δ = (T4 − T1 ) − (T3 − T2 )` Timeshift between client and server assuming forward and reverse dealy are symetric: `θ = 1/2 ((T2 − T1) + (T3 − T4))` Special messages: - > Monlist responses are a trove of information, listing all IPs that had recently sent NTP packets (of any mode) to the server. - Kiss-o-death (KoD) send by server to client for rate limiting. #### Authentication > Nobody should be using autokey. Or from the other direction, if you are using autokey you should stop using it. ### Exploring own setup ``` ➜ ~ dig +short pool.ntp.org 85.90.244.165 159.69.150.81 185.207.104.70 78.47.249.55 ➜ ~ dig +short 2.debian.pool.ntp.org 159.69.150.81 94.16.116.137 82.100.248.10 162.159.200.123 ➜ ~ dig +short time.apple.com time-osx.g.aaplimg.com. 17.253.54.123 17.253.52.253 17.253.52.125 17.253.54.251 17.253.54.253 ``` ``` ➜ ~ timedatectl timesync-status Server: 82.100.248.10 (2.debian.pool.ntp.org) Poll interval: 34min 8s (min: 32s; max 34min 8s) Leap: normal Version: 4 Stratum: 2 Reference: BD8DA03D Precision: 1us (-23) Root distance: 34.308ms (max: 5s) Offset: -69.660ms Delay: 24.523ms Jitter: 29.104ms Packet count: 29 Frequency: +25,316ppm ``` Query a specific NTP server: ``` ➜ ~ sudo ntpdate 0.debian.pool.ntp.org 24 Jan 17:59:23 ntpdate[19211]: adjust time server 131.234.220.231 offset 0.030175 sec ``` :warning: ntpd clients are also servers by default. :warning: ``` ➜ ~ sudo ntpdate localhost 24 Jan 17:59:43 ntpdate[19216]: no server suitable for synchronization found ``` ### Measuring the NTP ecosystem Number of publicly reachable computers running ntpd: > a total of 13,076,290 IPs that potentially run NTP servers Large amounts of badly outdated deployments: > Meanwhile, Table II shows that ntpd v4.1.1 (released 2001) and v4.2.6 (released 2008) are most popular; the current release v4.2.8 (released 2014) is ranked only 8 th amongst the systems we see. # Alternatives - Network Time Security (NTS): https://www.internetsociety.org/blog/2020/08/everything-you-need-to-know-about-network-time-security/ - PTP - Why is PTP so accurate: https://blog.meinbergglobal.com/2013/09/14/ieee-1588-accurate/ - NTP vs PTP: https://blog.meinbergglobal.com/2013/11/22/ntp-vs-ptp-network-timing-smackdown/ - Roughtime: https://blog.cloudflare.com/roughtime/ # Further Resources - Zero origin timestamp attack: https://lwn.net/Articles/673451/