NTP Attack Can Cause Encryption and DNS Problems

Aanchal Malhotra, Isaac E. Cohen, Erik Brakke, and Sharon Goldberg

wrote a paper (out of Boston University)


“Attacking the Networking Time Protocol”



Apparently if your servers and clients (which all have NTP) have their time changed can affect various processes.

To Attack …     Change time by …

TLS Certs                Years

HSTS                        a year

DNSSEC                 months

DNS Caches          days

Routing (RPKI)   days

Bitcoin                     hours

API authentication   minutes

Kerberos                minutes


There are apparently some attacks on the NTP infrastructure that have a good chance of success and if succeeding would potentially be able to stop encrypted communications (by changing the date of year).  So a successful attack could cause encryption to stop on shopping carts, or at least a potential customer would see that the site is not secure and take their business elsewhere.

A potential attack can create problems with a reboot – as that is when time can change the most (as there is a threshold of change most ntp processes will allow without failure). Especially if a -g option is used with the ntpd daemon on Unix/Linux systems.


Section V. is the “Kiss-o’-Death: Off-Path Denial-of-Service Attacks”


Off-Path attacks are hard due to the attacker inability to observe the client-server communication.  Due to the origin timestamp as the nonce (a cryptographic string only used once). This research shows that although initially the time stamp nonce is a good  cryptographic  method to protect communications Section B shows differently.

B. Exploiting the Kiss-O’-Death(KoD) packet.

A server sends a client a KoD packet when it is queried too many times.

{ Our experiments confirm that if the KoD packet has polling interval 
kod = 17 (the maximum allowable polling interval [41]) then the ntpd v4.2.8 client will stop querying the server for at least 2 kod sec (36 hours).
The poll field in the NTP packet is an 8-bit value ( i.e., ranging from 0 to 255), but RFC 5905 [41, pg 10] defines the maximum allowable poll value to be 17. The most recent ntpd implementation, however, will accept KoDs with poll values even larger than 17; setting kod = 25, for
example, should cause the client to stop querying its server for at least
2^25 seconds, or about 1 year. }

The Attack by the researchers uses KoD as a low-rate off-path DOS attack, the attacker can learn IP addresses of all preconfigure servers from which the client is willing to take time, and periodically(once every 2^7 KoD seconds) spoofs KoD packets from each of hem. The client will not synchronize to any of its preconfigured servers, and NTP is deactivated. Unfortunately this attack can continue indefinitely.


Knowing the Attack, now we need to find which systems are susceptible to this attack(the attack surface). TableII shows the ntpd versions on the Internet.


1.9 Million ntp servers are  _very_ old servers (4.1.1)

As per http://www.ntp.org/downloads.html the current version of ntp – 4.2.8p4.

The researchers have I believe boiled it down to the following:

Results of server scan.
Out of the 13M servers we scanned, about 24K servers were willing to fragment to a 68-byte MTU. 10K of these servers have bigger problems than just being vulnerable to our attacks: they were either unsynchronized or bad timekeepers.
Who are these vulnerable servers? The majority 87% (10,292) are at stratum 3, 14 at stratum 1 and 660 at stratum2.
Here is a good explanation of the different stratum servers.
http://www.endruntechnologies.com/stratum1.htm  essentially stratum 1 means being connected to the main stratum zero servers.
The researchers have developed a site to determine if ntp clinets are susceptible of the attack https://www.cs.bu.edu/~goldbe/NTPattack.html
Apparently Cisco and RedHat have issued patches because of this research.
My takeaway from this is that we can’t ignore ntp as an attack angle, especially when used in addition to other attacks, as yesterday’s post mentioned: http://oversitesentry.com/ddos-attack-allows-million-transferred-to-mule/
When DOS attacks are used on mail servers it can cause indirect attacks to succeed.
http://oversitesentry.com/contact-us/  to discuss your specialized situation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.