Professional Documents
Culture Documents
NTP - Function, Vulnerability and Threats
NTP - Function, Vulnerability and Threats
NTP Vulnerability
Threats
NTP (1/4) Definition
• NTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the
clocks of computers to some time reference.
NTP
• An NTP implementation operates as a primary server, secondary server, or client. A primary server
is synchronized to a reference clock directly traceable to UTC (e.g., GPS, Galileo, etc.). A client
Modes of synchronizes to one or more upstream servers, but does not provide synchronization to
Operation dependent clients.
• Protocol Modes
• Implementation Model
NTPv4 • Peer Process Variables
Specs
NTP (2/4) Protocol Modes
There are three NTP protocol variants:
• symmetric,
• client/server, and
• broadcast.
NTP (3/4) Implementation Model
• Figure 2 shows the architecture of a
typical, multi-threaded implementation. It
includes two processes dedicated to each
s e r v e r, a p e e r p r o c e s s t o r e c e i v e
messages from the server or reference
clock, and a poll process to transmit
messages to the server or reference clock.
NTP (4/4) Peer Process Variable
• srcaddr: IP address of the remote server or reference clock. This
becomes the destination IP address in packets sent from this
association.
• srcport: UDP port number of the server or reference clock. This
becomes the destination port number in packets sent from this
association. When operating in symmetric modes (1 and 2), this field
must contain the NTP port number PORT (123) assigned by the IANA.
In other modes, it can contain any number consistent with local
policy.
• dstaddr: IP address of the client. This becomes the source IP address in packets sent from this association.
• dstport: UDP port number of the client, ordinarily the NTP port number PORT (123) assigned by the IANA. This becomes the
source port number in packets sent from this association.
• keyid: Symmetric key ID for the 128-bit MD5 key used to generate and verify the MAC. The client and server or peer can use
different values, but they must map to the same key.
References
1 I. E. T. F. (IETF), "Network Time Protocol Version 4: Protocol and Algorithms Specification,"
June 2010. [Online]. Available: https://www.ietf.org/rfc/rfc5905.txt. [Accessed 23 October 2020].
2 ntp.org, "What is NTP?," [Online]. Available: http://www.ntp.org/ntpfaq/NTP-s-def.htm.
[Accessed 23 October 2020].
3 cvedetails, "Vulnerability Details : CVE-2019-11331," [Online]. Available:
https://www.cvedetails.com/cve/CVE-2019-11331/. [Accessed 23 October 2020].
4 A. Malhotra, I. E. Cohen, E. Brakke and S. Goldberg, "Attacking the Network Time Protocol," in
ndss-symposium, San Diego, CA, USA, 2016.
• Why do we need NTP?
- ”A man with one watch always knows what
time it is, a man with two watches is never quite
sure.”
- 88 vulnerabilities of NTP
2 https://www.acunetix.com/blog/articles/ntp-reflection-ddos-attacks/
3 https://www.youtube.com/watch?v=LtMWTmQqRfA
4 https://www.youtube.com/watch?v=mg08PAq7W1s
5 https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
THREATS
• The purpose of the attack is for the system to generate incorrect or inconsistent time
values that may cause time-critical services to work incorrectly. In the case of an
operating system, this would interfere with the accuracy of logging, reports, system
clock, etc.
• Other purposes are to interfere with the operation of the protocol, cause clogging of
networks, servers or clients with large volumes of traffic, or force the protocol to use
large amounts of resources such as computational cryptography.off-path attacks.
THREATS
Types of attacks :
• Bogus attack - The attacker forges packets received by the client or server;
• Wiretap attack - The attacker copies (intercepts) packets sent by the client or server, so
they can be stored or used for the next type of attack;
• Replay attack - The attacker sends back one or more of the packets that were previously
stored (old duplicate), or resends the last packet sent.
THREATS
Possible attack scenarios :
• Middleman Attack - Attackers intercept packets from a client or server so that they do not reach their destination immediately. The
attacker then forges the NTP packet or makes it inaccurate, but it will still be accepted by the client and server.
• Masquearade Attack - The attacker pretends to be an NTP server. This may be done if the router on the network has been attacked
or is using a fake DNS server.
• Delay Attack - The attacker causes the NTP packet to be delayed for some time, but does not change its contents. If the delay in
both directions between the client and server is about the same, the error offset may not be very significant. This is like what
happens in data links in outer space caused by the movement of satellites or spacecraft.However, if the delay in the two directions
has a significant difference, the offset error reaches half of the delay difference in the two directions.
• Denial of Service (DoS) Attack - One or more attackers can collaborate to carry out a DoS attack, by flooding the network, client or
server, with a large amount of traffic so that the service is interrupted. From previous experience, DoS attacks have never been
effectively carried out, because the hardware and software resources used by NTP are quite minimal. However, a DoS attack can be
effective if the attack forces the system to perform unnecessary large cryptographic calculations.
THREATS
• Denial of Service (DoS) Attack - One or more attackers can collaborate to carry out a DoS attack, by flooding the
network, client or server, with a large amount of traffic so that the service is interrupted. From previous experience,
DoS attacks have never been effectively carried out, because the hardware and software resources used by NTP are
quite minimal. However, a DoS attack can be effective if the attack forces the system to perform unnecessary large
cryptographic calculations.
• off-path attacks
• Impact : There is reduced performance or interruptions in resource availability
REFERENCES
1 https://www.eecis.udel.edu/~mills/security.html
2 http://resources.infosecinstitute.com/network-time-protocol-ntp-threats-countermeasures/
3 https://www.incapsula.com/ddos/attack-glossary/ntp-amplification.html
4 http://www.omnisecu.com/ccna-security/ntp-network-time-protocol-modes-of-operation.php
5 https://www.eecis.udel.edu/~mills/onwire.html
6 https://keamanan-informasi.stei.itb.ac.id/2016/09/04/2016. Ancaman Keamanan NTP dan
Penanggulangannya