Attacking NTP’s Authenticated Broadcast Mode

Aanchal Malhotra, Sharon Goldberg
Appears in: 
CCR April 2016

We identify two attacks on the Network Time Protocol (NTP)’s cryptographically-authenticated broadcast mode. First, we present a replay attack that allows an on-path attacker to indefinitely stick a broadcast client to a specific time. Second, we present a denial-of-service (DoS) attack that allows an off-path attacker to prevent a broadcast client from ever updating its system clock; to do this, the attacker sends the client a single malformed broadcast packet per query interval. Our DoS attack also applies to all other NTP modes that are ‘ephemeral’ or ‘preemptable’ (including manycast, pool, etc). We then use network measurements to give evidence that NTP’s broadcast and other ephemeral/preemptable modes are being used in the wild. We conclude by discussing why NTP’s current implementation of symmetric-key cryptographic authentication does not provide security in broadcast mode, and make some recommendations to improve the current state of affairs.

Public Review By: 
Alberto Dainotti

Besides the recently famous gravitational waves, there is another phenomenon affecting the spacetime continuum, at least in the Internet universe: the Network Time Protocol (NTP, RFC5905), used for decades by Internet attached hosts to establish and maintain synchronization of their clocks. In this paper, Aanchal and Sharon show how an attacker can alter a system’s perception of time when it relies on NTP. System time has an immense effect on host activities: cached data expiration, scheduled jobs, public-key certificate expiration, backups, cryptographic protocols, time-outs in general, etc. Therefore, manipulation of the system clock can open the path to several attacks.The authors identify two vulnerabilities affecting NTP protocol’s cryptographically-authenticated broadcast mode. The first allows an on-path attacker to stick an NTP broadcast client to a specific time indefinitely. The second vulnerability exposes a client to a denial-of-service attack, in which an off-path attacker prevents the client from updating its system clock. The authors also perform a survey of the IPv4 address space, identifying several hosts using NTP broadcast mode.Reviewers found the contribution of this work relevant, not only because it pertains to more secure protocol design, but also because the authors explain solutions and collaborated with industry, developers and standardization groups to improve the security of the protocol and its implementations. The reviewers also discussed the potentially limited nature of these vulnerabilities given that NTP’s cryptographically-authenticated broadcast mode does not seem to be widely adopted. However, as the authors explain, it is difficult to establish figures on the popularity of this mode, since (i) it is most common in clients behind NAT, and (ii) several firewalls filter queries that may reveal such information. Finally, we believe this paper is a good match for CCR also because the two vulnerabilities discussed have just been disclosed and assigned a CVE-ID, which makes the paper even more... timely! ACM SIGCOMM Computer Communication Review