a security analysis of the network time protocol (ntp) presentation by tianen liu
TRANSCRIPT
A Security Analysis of the Network Time Protocol (NTP)
Presentation by Tianen Liu
Overview
NTP version 2 Five types of attacks against NTP Suggested Improvements
Requirements of NTP
Deliver accurate time over wide-area network Synchronize time and frequency Work with a variety of computers Overcome problem with transmission delay Loss of a single transmission path does not
prevent other portions from obtaining correct time
Multi Tiered System
Each layer is a stratum Stratum 1: Primary servers connected to
atomic or radio clocks Stratum >1: Secondary servers synchronize
with primary servers or other secondary servers at lower stratum numbers
Hosts on subnet receive time propagated by secondary servers.
NTP Hierarchy
Operating Modes
Client/Server mode Client polls (secondary) server for time
Symmetric active mode Periodically broadcasts time messages to
synchronize other servers Symmetric passive mode
Receives time messages from peers at equal or lower stratum number than host.
NTP Message Transmit
Timer associated with each peer is decremented periodically. When 0, NTP packet is sent.
Source and destination addresses and ports copied to IP packet variables.
Store NTP version, mode, stratum, distance to primary source, timestamp info, etc in packet, and transmit it.
NTP Message Receive
Checks if packet is reasonable Resets internal variables based on
message received Adjusts local clock Possibly select new peer to be used as
clock source
Sanity Checks
Selection of Source Peer Algorithm Goal: determine which peer should be
allowed to synchronize current host’s clock
NTP assumes that there is correct time value and that by using multiple sources, inaccurate values can be discarded.
Delay Calculated for each NTP message Values computed from last 8 messages
constitute a sample Lowest delay and stratum number favored
when selecting a source
Round trip delay: (ti – ti-3) – (ti-1 – ti-2 )
Access Control Mechanism
All hosts divided into 3 categories: trusted, friendly, others
Trusted hosts allowed to synchronize local clock
Friendly hosts are sent timestamps but may not synchronize local clock
Messages from others category ignored
Access Control Mechanism(2)
Relies on source address to determine category of host
Attacker can choose source address that allows synchronization of the victim
Authentication Mechanism
Uses symmetric key encryption between two parties (host and peer)
Algorithm and key distributed by means other than NTP
Most of the packet is checksummed using key Upon receipt, checksum recomputed and
compared to transmitted checksum Keys are per-host based. Compromise of one
host’s key can compromise all hosts it synchronizes with.
Five Possible Attacks on NTP
A non-time server impersonates a time server (masquerade)
An attacker modifies messages sent by time server (modification)
An attacker resends a timer server’s message (replay)
An attacker intercepts a time server’s message and deletes it (denial of service)
An attacker delays time messages (delay)
Masquerade
Attack: Send packets to the victim with the source address of the time server to be imitated
Countermeasure: Authentication method
Message Modification
Alter packets sent to the victim. Examples of fields to alter:
Pkt.version – changed to earlier version will result in the packet being discarded
Pkt.mode – modes of host and peer become incompatible, packet is discarded
Pkt.stratum – altered value less than the true value may cause peer to be chosen as a clock source
Pkt.dispersion – altered value affects estimated round trip delay from the primary source, may cause peer to be chosen as clock source
Countermeasure: Use authentication
Replay
Attack: Record messages sent at one time and resend them later
Countermeasures: Reject any packet with timestamp no newer than
the last one received But when clock runs fast, it must be set back.
Require a special packet to be sent when clock is to be moved back. Provide a nonce to ensure packet cannot be replayed.
Delay
Attack: Artificially increase roundtrip delay to the peer
Countermeasure: Redundancy of clock sources
Denial of Service
Attack: Prevent packets from clock sources from reaching host
Countermeasure: Redundancy of clock sources
Suggested Improvements
Authentication should be used with keys issued on a per-path, not per-host basis.
Access control should be based on routes recorded, not simply on IP address.
Servers should have several other source servers to limit effectiveness of delay and denial of service attacks.