A Security Analysis of the Network Time Protocol (NTP)

Presentation by Tianen Liu

Overview

NTP version 2 Five types of attacks against NTP Suggested Improvements

Requirements of NTP

Deliver accurate time over wide-area network Synchronize time and frequency Work with a variety of computers Overcome problem with transmission delay Loss of a single transmission path does not

prevent other portions from obtaining correct time

Multi Tiered System

Each layer is a stratum Stratum 1: Primary servers connected to

atomic or radio clocks Stratum >1: Secondary servers synchronize

with primary servers or other secondary servers at lower stratum numbers

Hosts on subnet receive time propagated by secondary servers.

NTP Hierarchy

Operating Modes

Client/Server mode Client polls (secondary) server for time

Symmetric active mode Periodically broadcasts time messages to

synchronize other servers Symmetric passive mode

Receives time messages from peers at equal or lower stratum number than host.

NTP Message Transmit

Timer associated with each peer is decremented periodically. When 0, NTP packet is sent.

Source and destination addresses and ports copied to IP packet variables.

Store NTP version, mode, stratum, distance to primary source, timestamp info, etc in packet, and transmit it.

NTP Message Receive

Checks if packet is reasonable Resets internal variables based on

message received Adjusts local clock Possibly select new peer to be used as

clock source

Sanity Checks

Selection of Source Peer Algorithm Goal: determine which peer should be

allowed to synchronize current host’s clock

NTP assumes that there is correct time value and that by using multiple sources, inaccurate values can be discarded.

Delay Calculated for each NTP message Values computed from last 8 messages

constitute a sample Lowest delay and stratum number favored

when selecting a source

Round trip delay: (ti – ti-3) – (ti-1 – ti-2 )

Access Control Mechanism

All hosts divided into 3 categories: trusted, friendly, others

Trusted hosts allowed to synchronize local clock

Friendly hosts are sent timestamps but may not synchronize local clock

Messages from others category ignored

Access Control Mechanism(2)

Relies on source address to determine category of host

Attacker can choose source address that allows synchronization of the victim

Authentication Mechanism

Uses symmetric key encryption between two parties (host and peer)

Algorithm and key distributed by means other than NTP

Most of the packet is checksummed using key Upon receipt, checksum recomputed and

compared to transmitted checksum Keys are per-host based. Compromise of one

host’s key can compromise all hosts it synchronizes with.

Five Possible Attacks on NTP

A non-time server impersonates a time server (masquerade)

An attacker modifies messages sent by time server (modification)

An attacker resends a timer server’s message (replay)

An attacker intercepts a time server’s message and deletes it (denial of service)

An attacker delays time messages (delay)

Masquerade

Attack: Send packets to the victim with the source address of the time server to be imitated

Countermeasure: Authentication method

Message Modification

Alter packets sent to the victim. Examples of fields to alter:

Pkt.version – changed to earlier version will result in the packet being discarded

Pkt.mode – modes of host and peer become incompatible, packet is discarded

Pkt.stratum – altered value less than the true value may cause peer to be chosen as a clock source

Pkt.dispersion – altered value affects estimated round trip delay from the primary source, may cause peer to be chosen as clock source

Countermeasure: Use authentication

Replay

Attack: Record messages sent at one time and resend them later

Countermeasures: Reject any packet with timestamp no newer than

the last one received But when clock runs fast, it must be set back.

Require a special packet to be sent when clock is to be moved back. Provide a nonce to ensure packet cannot be replayed.

Delay

Attack: Artificially increase roundtrip delay to the peer

Countermeasure: Redundancy of clock sources

Denial of Service

Attack: Prevent packets from clock sources from reaching host

Countermeasure: Redundancy of clock sources

Suggested Improvements

Authentication should be used with keys issued on a per-path, not per-host basis.

Access control should be based on routes recorded, not simply on IP address.

Servers should have several other source servers to limit effectiveness of delay and denial of service attacks.