Home / Blogs

NTP is Still a Security Risk

The Network Time Protocol (NTP) has been in the news a number of times over the past couple of years because of attacks on the protocol, vulnerabilities in the daemon, and the use of NTP in DDoS attacks.

In each case, the developers of NTP have responded quickly with fixes or recommendations for remediating these attacks. Additionally, the development team has continued to look ahead and has worked to enhance the security of NTP.

Unfortunately, that has not translated to an improved security picture for NTP. Part of the problem with NTP is that it is a "set it and forget protocol." When a new router or server is deployed NTP is configured and then most likely never touched again on that device. This often includes not upgrading the NTP daemon as new releases are available and it definitely does not include updating NTP configuration as new security recommendations are released. This means that there are a lot of vulnerable NTP clients and servers that are publicly accessible.

As a side project I run an NTP server that is part of the NTP Pool Project and is included in the pool.ntp.org rotation. I collect some statistical data from the incoming requests in order to understand more about how NTP traffic works from the server side. On August 1st, I collected 12 hours of NTP version data to see what the clients connecting to the server were running. I like the NTP Pool Project because it matches up random clients with servers that are part of the pool. This means that the server I manage sees a pretty random slice of traffic from around the world.

A little bit of background. NTP version 0 was first released with RFC 958 in 1985 (David L Mills actually developed it prior to that, but the release of the RFC is a good start date), more than 30 years ago. NTP version 3, documented in RFC 1305, was released by Mills in 1992. The most recent version of NTP, version 4, was released in 2010 and documented by Mills and team in RFC 5905. That means that the most recent version of NTP is more than 6 years old.

During the 12 hour period I was monitoring for incoming version information I saw a total of 4,597,036 incoming NTP requests. Of those 4,597,036 requests, 1,216,867 or 26.47% were NTP version 3 requests. Six years in, more than a quarter of NTP clients still have not upgraded to a version of the NTP daemon that supports version 4. Even in the small sample size that I was presented, 1,216,867 NTP clients have the potential to be used in a DDoS attack or are potentially exposing the rest of the network to attack.

All of the hard work being done by the NTP development team and researchers who are driving the improvements in NTP security doesn't mean anything if the end users of the NTP protocol don't focus on upgrading their systems and improving security practices around NTP.

By Allan Liska, Security Analyst
Follow CircleID on
Related topics: Cybersecurity
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

I suspect part of the reason for Todd Knarr  –  Aug 04, 2016 9:25 PM PDT

I suspect part of the reason for version 3 clients is router firmware. Upgrading router firmware's a bigger task than upgrading the software on desktops and servers, and I imagine 99% of consumers don't even think about it unless their router's malfunctioning badly enough to impact their connection's performance.

You are probably right... Allan Liska  –  Aug 04, 2016 9:59 PM PDT

I didn't want to draw any conclusions because all traffic coming from home networks looks like it is originating from the router, but my guess is you are correct. I know that in my case when I subscribed to my high speed Internet service many years ago they gave me a router to which I don't have access.  So, even if I wanted to, I couldn't update the firmware — which is why I run a firewall that I do control behind the ISP's router.

I would love to hear from anyone who works for a major ISP and knows how often, if ever, CPE is upgraded by the ISP.

Every consumer router I've bought in the Todd Knarr  –  Aug 04, 2016 10:12 PM PDT

Every consumer router I've bought in the last decade has NTP enabled and set to the NTP pool, and they have an NTP server available to the LAN so they'll be hitting the pool. Unfortunately Windows PCs (the majority of desktops) are configured to ignore the local NTP server and get time directly from Microsoft, so you likely don't see them at all. My personal experience has been that ISPs don't ever update CPE router firmware, if the hardware works they don't touch it and if it doesn't they replace it with whatever the current model is. The vendors follow similar practice, once they have a working firmware image I rarely see the components get updated unless required for a security bugfix in that component. As outdated as their base versions of DD-WRT tend to be, I don't have high hopes for current NTP software.

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign