Attacking the Network Time Protocol (NTP)
Aanchal Malhotra from Boston University came to the MIT security seminar to talk about attacks on NTP. This talk was related to a paper she published and presented at NDSS 2016. I will give an overview and outline of the talk, and I refer you to the paper for more details.
How does NTP work? First, the client sends queries at randomized and adaptively-selected intervals, which requires a certain number of self-consistent responses to update its clock.
In their work, they attack the NTPv4 spec [RFC 5905] and its reference implementation. They assume that NTP messages are not cryptographically authenticated. But why? Cryptography defends against man-in-the-middle and on-path attacks, but NTP’s cryptography is rarely used in practice. For symmetric cryptography, they use MD5(key||message), and there is no mechanism for key distribution. For asymmetric cryptography, the autokey protocol [RFC 5906] is not a standards-track document, and the cryptography is badly broken.
In their paper, they show 3 off-path attacks. First, they perform denial of service by a spoofed kiss-of-death packet. Then, they perform a denial of service by priming the pump, and finally, they do timeshifting by IPv4 packet fragmentation. These attacks are subtle, so I refer you to the paper for details.
What the conditions for this attack? First, the server must fragment NTP packets into 68 bytes. They scanned 13 million servers and about 24,000 servers were willing to fragment to 68-byte packets. Next, the client reassembles overlapping fragments according to first policy — the client prefers fragments that arrive earliest. They could not safely measure this because of teardrop. Finally, the server uses incrementing IPID, and the attacker can infer IPID using techniques explained in this paper.
They managed to patch the denial of service by spoofed kiss of death packet, and created an IETF draft for authentication to prevent denial of service by priming the pump. For time shifting, they recommend that the server should not fragment to 68 bytes, and clients should drop overlapping fragments. Other recommendations include stopping a laptop from answering timing queries and doing more work on bettering the cryptography in NTP.
This is interesting work looking at problems with NTP, which is very important because many servers use NTP for coordination and synchronization. You can find out if your server is vulnerable at their website.
