220 likes | 335 Views
A Security Analysis of the Network Time Protocol (NTP). Presentation by Tianen Liu. Overview. NTP version 2 Five types of attacks against NTP Suggested Improvements. Requirements of NTP. Deliver accurate time over wide-area network Synchronize time and frequency
E N D
A Security Analysis of the Network Time Protocol (NTP) Presentation by Tianen Liu
Overview • NTP version 2 • Five types of attacks against NTP • Suggested Improvements
Requirements of NTP • Deliver accurate time over wide-area network • Synchronize time and frequency • Work with a variety of computers • Overcome problem with transmission delay • Loss of a single transmission path does not prevent other portions from obtaining correct time
Multi Tiered System • Each layer is a stratum • Stratum 1: Primary servers connected to atomic or radio clocks • Stratum >1: Secondary servers synchronize with primary servers or other secondary servers at lower stratum numbers • Hosts on subnet receive time propagated by secondary servers.
Operating Modes • Client/Server mode • Client polls (secondary) server for time • Symmetric active mode • Periodically broadcasts time messages to synchronize other servers • Symmetric passive mode • Receives time messages from peers at equal or lower stratum number than host.
NTP Message Transmit • Timer associated with each peer is decremented periodically. When 0, NTP packet is sent. • Source and destination addresses and ports copied to IP packet variables. • Store NTP version, mode, stratum, distance to primary source, timestamp info, etc in packet, and transmit it.
NTP Message Receive • Checks if packet is reasonable • Resets internal variables based on message received • Adjusts local clock • Possibly select new peer to be used as clock source
Selection of Source Peer Algorithm • Goal: determine which peer should be allowed to synchronize current host’s clock • NTP assumes that there is correct time value and that by using multiple sources, inaccurate values can be discarded.
Delay Calculated for each NTP message • Values computed from last 8 messages constitute a sample • Lowest delay and stratum number favored when selecting a source • Round trip delay: (ti –ti-3)–(ti-1 –ti-2 )
Access Control Mechanism • All hosts divided into 3 categories: trusted, friendly, others • Trusted hosts allowed to synchronize local clock • Friendly hosts are sent timestamps but may not synchronize local clock • Messages from others category ignored
Access Control Mechanism(2) • Relies on source address to determine category of host • Attacker can choose source address that allows synchronization of the victim
Authentication Mechanism • Uses symmetric key encryption between two parties (host and peer) • Algorithm and key distributed by means other than NTP • Most of the packet is checksummed using key • Upon receipt, checksum recomputed and compared to transmitted checksum • Keys are per-host based. Compromise of one host’s key can compromise all hosts it synchronizes with.
Five Possible Attacks on NTP • A non-time server impersonates a time server (masquerade) • An attacker modifies messages sent by time server (modification) • An attacker resends a timer server’s message (replay) • An attacker intercepts a time server’s message and deletes it (denial of service) • An attacker delays time messages (delay)
Masquerade • Attack: Send packets to the victim with the source address of the time server to be imitated • Countermeasure: Authentication method
Message Modification • Alter packets sent to the victim. • Examples of fields to alter: • Pkt.version – changed to earlier version will result in the packet being discarded • Pkt.mode – modes of host and peer become incompatible, packet is discarded • Pkt.stratum – altered value less than the true value may cause peer to be chosen as a clock source • Pkt.dispersion – altered value affects estimated round trip delay from the primary source, may cause peer to be chosen as clock source • Countermeasure: Use authentication
Replay • Attack: Record messages sent at one time and resend them later • Countermeasures: • Reject any packet with timestamp no newer than the last one received • But when clock runs fast, it must be set back. Require a special packet to be sent when clock is to be moved back. Provide a nonce to ensure packet cannot be replayed.
Delay • Attack: Artificially increase roundtrip delay to the peer • Countermeasure: Redundancy of clock sources
Denial of Service • Attack: Prevent packets from clock sources from reaching host • Countermeasure: Redundancy of clock sources
Suggested Improvements • Authentication should be used with keys issued on a per-path, not per-host basis. • Access control should be based on routes recorded, not simply on IP address. • Servers should have several other source servers to limit effectiveness of delay and denial of service attacks.