Aanchal Malhotra, Isaac E. Cohen, Erik Brakke, and Sharon Goldberg
wrote a paper (out of Boston University)
http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf
“Attacking the Networking Time Protocol”
Apparently if your servers and clients (which all have NTP) have their time changed can affect various processes.
To Attack … Change time by …
TLS Certs Years
HSTS a year
DNSSEC months
DNS Caches days
Routing (RPKI) days
Bitcoin hours
API authentication minutes
Kerberos minutes
There are apparently some attacks on the NTP infrastructure that have a good chance of success and if succeeding would potentially be able to stop encrypted communications (by changing the date of year). So a successful attack could cause encryption to stop on shopping carts, or at least a potential customer would see that the site is not secure and take their business elsewhere.
A potential attack can create problems with a reboot – as that is when time can change the most (as there is a threshold of change most ntp processes will allow without failure). Especially if a -g option is used with the ntpd daemon on Unix/Linux systems.
——————————————————————–
Section V. is the “Kiss-o’-Death: Off-Path Denial-of-Service Attacks”
Off-Path attacks are hard due to the attacker inability to observe the client-server communication. Due to the origin timestamp as the nonce (a cryptographic string only used once). This research shows that although initially the time stamp nonce is a good cryptographic method to protect communications Section B shows differently.
B. Exploiting the Kiss-O’-Death(KoD) packet.
A server sends a client a KoD packet when it is queried too many times.
The Attack by the researchers uses KoD as a low-rate off-path DOS attack, the attacker can learn IP addresses of all preconfigure servers from which the client is willing to take time, and periodically(once every 2^7 KoD seconds) spoofs KoD packets from each of hem. The client will not synchronize to any of its preconfigured servers, and NTP is deactivated. Unfortunately this attack can continue indefinitely.
Knowing the Attack, now we need to find which systems are susceptible to this attack(the attack surface). TableII shows the ntpd versions on the Internet.
1.9 Million ntp servers are _very_ old servers (4.1.1)
As per http://www.ntp.org/downloads.html the current version of ntp – 4.2.8p4.
The researchers have I believe boiled it down to the following: