Boston University Researchers Identify Network Time Protocol (NTP) Vulnerabilities
Increasing distributed denial of service (DDoS) attacks on computer networks are gaining the attention of researchers. A group of Boston University (BU) researchers published a report this week that examines the risk that unauthenticated Network Time Protocol (NTP) networks face due to software implementation flaws. “Attacking the Network Time Protocol” by Aanchal Malhotra, Isaac E. Cohen, Erik Brakke and Sharon Goldberg of BU notes that NTP, one of the oldest Internet protocols, is prone to DDoS attacks.
Malhotra, a Ph.D. candidate, discovered security vulnerabilities in a network time protocol that were used to synchronize computer clocks, according to ThreatPost. These vulnerabilities could enable an attacker on a network to roll back time on computers and impact cryptographic calculations, initiate DDoS attacks, or affect security measures.
Goldberg, a BU computer science associate professor, said Malhotra conducted the attack by changing time with the NTP. Both researchers were surprised that no one had previously considered this as an attack vector. They recognized it as a tool to initiate attacks against systems impacted by time.
Cryptographic Protocols Utilize Time
The vulnerability is critical since time plays an important role in computing applications and numerous cryptographic protocols heavily utilize time, the research paper notes.
The researchers sought to examine attacks on unauthenticated NTP deemed possible within the NTP protocol specification. They considered both on-path attacks on the path between the NTP client and a client server and off-path attacks where an attacker anywhere on the server is not observing client-server traffic.
The on-path attacks involve various techniques to intercept NTB server traffic, the paper noted. The attackers shift time on the NTP server’s clients. An on-path attacker can easily identify when a client initializes.
An off-path attacker can exploit the NTP’s rate-limiting mechanism, the “Kiss-o-Death” (KoD) packet, and disable NTP, the researchers noted. In such a scenario, the attacker only has to spoof a single KoD packet from the client’s preconfigured servers, whereby the client stops querying its servers and cannot update its clock. Standard networking scanning tools can accomplish such an attack within a few hours.
NTP Ecosystem Integrity Examined
The paper examined the integrity of the NTP ecosystem using new network-wide sans and the openNTPproject.
Two NTP servers retreated in time by about 12 years on Nov. 19, 2012, and delivered outages to Active Director authentication servers, routers, and PBXs. The paper observed that multiple applications can fail simultaneously on the system when NTP fails.
NTP can exploit the Resource Public Key Infrastructure, the paper noted, referring to a new infrastructure that secures routing.
Attackers can also use NTP for cache flushing. DNS cache entries usually live for around 24 hours. Pushing a “resolver” ahead in time by one day will cause the expiration of most cache entries. A failure such as the one in November 2012 could drive multiple resolvers to flush caches simultaneously, flooding DNS queries onto the network.
Bitcoin Block Chain Vulnerable
The researchers observed that an NTP attacker can trick someone into rejecting a legitimate bitcoin block chain block. The bitcoin block chain consists of time-stamped blocks that add to the block chain based on validity interval. An NTP attacker can also trick a victim into wasting computational energy on proofs-of-work for a block that is stale.
NTP vulnerabilities are not new. Attackers carried out high-profile DDoS attacks in late 2013 and early 2014 by amplifying traffic from NTP servers.
History Of NTP Vulnerabilities
In January of 2014, the U.S. Computer Emergency Readiness Team (US-CERT) issued an alert about NTP amplification attacks. It noted that such an attack emerges as a DDoS relying on the use of publicly accessible NTP servers.
The US-CERT noted that the attack technique consists of a “get monlist” request to an NTP server with the source address spoofed to be the victim’s address. The solution is to disable the “monlist” within the NTP server or to upgrade to a later NTP version that disables the “monlist.”
The simplest course of action, US-CERT noted, is to upgrade all ntpd versions publicly accessible to 4.2.7. It is also possible to disable the monitor function in earlier software versions.
DDoS attacks congested Internet connectivity and disrupted online services at unprecedented levels in 2013, overshadowing attacks against the application layer that hackers preferred in previous years.
Security Report Cites DDoS Threat
Arbor Networks, which specializes in DDoS and advanced threat protection, released a Worldwide Infrastructure Security Report in January of 2014 and noted that DDoS attacks were the top operational threat to service providers and enterprise environments, according to threatpost.com. Darren Anstee, solutions architect at Arbor Networks, said attackers were trying to impact service availability or, as part of a broader campaign, to distract from financial fraud and theft, according to threatpost.com.
Attacks like the takedown of Spamhaus, an international organization to track spammers, are outliers with triple the traffic used than in multiple attacks targeting big financial institutions such as Wells Fargo, PNC and Bank of America, which were allegedly carried out by the al-Qassam Cyber Fighters.
The availability of open DNS resolvers allowed the Spamhaus attackers to spoof Spamhaus IP addresses and send large amounts of DNS requests. These attacks carried collateral damage affecting online streaming media like Netflix.
The Arbor report noted few companies have the security staff needed to protect infrastructure such as DNS.
The vulnerabilities uncovered by the BU researchers can be exploited with various levels of sophistication on the attackers’ part, Goldberg said.
Interest has grown about NTP-based DDoS attacks, the BU researchers noted, but less of the study has examined implications of shifting time by means of NTP attacks. The BU team explored new on-path and off-pack attacks exploiting NTP protocol vulnerabilities. They also noted complementary efforts to determine ntpd software bugs because ntpd usually runs as a host machine’s root.
The BU team noted that their work could motivate the Internet community to further examine NTP cryptographic authentication.
Images from Shutterstock and US-Cert.