Why You Should Consider Moving From NTP to NTPsec
By: Steven J. Vaughan-Nichols
NTP’s maintenance has slowed to a crawl and it’s been the subject of numerous DDoS attacks. It’s time to consider a change.
Doesn’t anyone really know what time it is? Does anyone really care? It made a fine song lyric for the band Chicago, but it’s no way to run the internet. On the net, everything needs to know the precise time to within a microsecond and the tool we use to do that with is Network Time Protocol (NTP).
NTP provides the internet’s heartbeat. Without it, servers and PCs wouldn’t know what time it is. That, in turn, would mean backups would fail, financial transactions would go awry, and many fundamental network services wouldn’t work. The primary time-keepers of the net are stratum-0 devices, i.e., atomic clocks. NTP connects these to other devices, which in turn set the time for everything online.
NTP is an open-source project. Unfortunately, it’s one of those projects with only one chief developer, Harlan Stenn. For the longest time he was programming NTP on a shoestring from his home.
After OpenSSL’s Heartbleed disaster, the Linux Foundation set up the Core Infrastructure Initiative (CII) to fund those small, but vital, programs. NTP gained CII support, but then things went amiss.
According to NTP, as of November 2016, the “project remains severely under-funded. Google was unable to sponsor us this year and, currently, the Linux Foundation’s CII only supports Harlan for about 25% of his hours per week and is restricted to NTP development only.”
For a project that everyone uses and has had multiple security worries, that is NOT good news. NTP has often been hijacked in major Distributed Denial of Service (DDoS) attacks.
Stenn, seemingly overwhelmed by the programming demands, recently wrote about a late security patch, “Reality bites — we remain severely under-resourced for the work that needs to be done. You can yell at us about it, and/or you can work to help us, and/or you can work to get others to help us.”
There is, of course, no time and minimal resources to add Network Time Security (NTS) to NTP. NTS, an Internet Engineering Task Force (IETF) draft, would help secure NTP. Today, you must use BCP38 network filtering to prevent your NTP servers from being exploited in a DDoS.
So what can you do about it? Well, if you’re a C programmer or have some cash, you can help Stenn. But, if what you want is just a safer, more secure NTP for your servers today consider switching to NTPsec.
Like NTP, NTPsec is underfunded. Indeed, one of the project’s leaders, open-source developer Eric S. Raymond, recently opened a Patreon fund to support NTPsec.
Still even as a late beta, NTPsec boasts several improvements. Besides being more secure, NTPsec is able to use the full precision of modern clocks down to the nanosecond level. The program is up to a fully-functional 0.9.6 version. The 1.0 release is expected out shortly.
The program is currently written in C and Python. In the future NTPsec will be ported to Go with some code left in C.
Want to give it a try? NTPsec supports almost all Linux, BSD and Unix distributions. Unlike NTP, NTPsec doesn’t support Windows.
You will need to build and install NTPsec as root. This is not a job for novices. While the NTPsec, which uses the waf build system instead of autoconf, is very straightforward, things can still go badly wrong if you’re not a Linux power user.
Once installed you will need to create a NTP configuration file in its default location: /etc/ntp.conf. For 99% of users the Quick Start page will get NTPsec up and running. If you need to do more than serve the time for your local servers and clients, go to the ntpd-Network Time Protocol (NTP) daemon page.
Why do this? Because between the two rival NTP servers, NTPsec seems to me the more likely to remain secure in an increasingly dangerous internet.
Please feel free to share below any comments or insights about your experience with NTP, NTPsec or DDoS attacks. And if you found this blog useful, please consider sharing it through social media.
About the blogger: Steven J. Vaughan-Nichols is a veteran IT journalist whose estimable work can be found on a host of channels, including ZDNet.com, PC Magazine, InfoWorld, ComputerWorld, Linux Today and eWEEK. Steven’s IT expertise comes without parallel — he has even been a Jeopardy! clue. And while his views and cloud situations are solely his and don’t necessarily reflect those of Linode, we are grateful for his contributions. He can be followed on Twitter (@sjvn).