Transcript A Security Analysis of the Network Time Protocol (NTP)

A Security Analysis of the
Network Time Protocol (NTP)
Presentation by Tianen Liu
Overview
 NTP version 2
 Five types of attacks against NTP
 Suggested Improvements
Requirements of NTP
 Deliver accurate time over wide-area network
 Synchronize time and frequency
 Work with a variety of computers
 Overcome problem with transmission delay
 Loss of a single transmission path does not
prevent other portions from obtaining correct
time
Multi Tiered System
 Each layer is a stratum
 Stratum 1: Primary servers connected to
atomic or radio clocks
 Stratum >1: Secondary servers synchronize
with primary servers or other secondary
servers at lower stratum numbers
 Hosts on subnet receive time propagated by
secondary servers.
NTP Hierarchy
Operating Modes
 Client/Server mode
 Client polls (secondary) server for time
 Symmetric active mode
 Periodically broadcasts time messages to
synchronize other servers
 Symmetric passive mode
 Receives time messages from peers at
equal or lower stratum number than host.
NTP Message Transmit
 Timer associated with each peer is
decremented periodically. When 0,
NTP packet is sent.
 Source and destination addresses and
ports copied to IP packet variables.
 Store NTP version, mode, stratum,
distance to primary source, timestamp
info, etc in packet, and transmit it.
NTP Message Receive
 Checks if packet is reasonable
 Resets internal variables based on
message received
 Adjusts local clock
 Possibly select new peer to be used as
clock source
Sanity Checks
Selection of Source Peer
Algorithm
 Goal: determine which peer should be
allowed to synchronize current host’s
clock
 NTP assumes that there is correct time
value and that by using multiple
sources, inaccurate values can be
discarded.
Delay Calculated for each
NTP message
 Values computed from last 8 messages
constitute a sample
 Lowest delay and stratum number favored
when selecting a source
 Round trip delay: (ti – ti-3) – (ti-1 – ti-2 )
Access Control Mechanism
 All hosts divided into 3 categories:
trusted, friendly, others
 Trusted hosts allowed to synchronize
local clock
 Friendly hosts are sent timestamps but
may not synchronize local clock
 Messages from others category ignored
Access Control Mechanism(2)
 Relies on source address to determine
category of host
 Attacker can choose source address
that allows synchronization of the victim
Authentication Mechanism
 Uses symmetric key encryption between two




parties (host and peer)
Algorithm and key distributed by means other
than NTP
Most of the packet is checksummed using
key
Upon receipt, checksum recomputed and
compared to transmitted checksum
Keys are per-host based. Compromise of
one host’s key can compromise all hosts it
synchronizes with.
Five Possible Attacks on NTP
 A non-time server impersonates a time server




(masquerade)
An attacker modifies messages sent by time
server (modification)
An attacker resends a timer server’s
message (replay)
An attacker intercepts a time server’s
message and deletes it (denial of service)
An attacker delays time messages (delay)
Masquerade
 Attack: Send packets to the victim with
the source address of the time server to
be imitated
 Countermeasure: Authentication
method
Message Modification
 Alter packets sent to the victim.
 Examples of fields to alter:
 Pkt.version – changed to earlier version will result
in the packet being discarded
 Pkt.mode – modes of host and peer become
incompatible, packet is discarded
 Pkt.stratum – altered value less than the true
value may cause peer to be chosen as a clock
source
 Pkt.dispersion – altered value affects estimated
round trip delay from the primary source, may
cause peer to be chosen as clock source
 Countermeasure: Use authentication
Replay
 Attack: Record messages sent at one time
and resend them later
 Countermeasures:


Reject any packet with timestamp no newer than
the last one received
But when clock runs fast, it must be set back.
Require a special packet to be sent when clock is
to be moved back. Provide a nonce to ensure
packet cannot be replayed.
Delay
 Attack: Artificially increase roundtrip
delay to the peer
 Countermeasure: Redundancy of clock
sources
Denial of Service
 Attack: Prevent packets from clock
sources from reaching host
 Countermeasure: Redundancy of clock
sources
Suggested Improvements
 Authentication should be used with keys
issued on a per-path, not per-host basis.
 Access control should be based on routes
recorded, not simply on IP address.
 Servers should have several other source
servers to limit effectiveness of delay and
denial of service attacks.