Back To The Future: Security Analysis of the Network Time Protocol and its Implementations

Abstract

The Network Time Protocol (NTP) is the primary synchronization protocol for billions of devices. Although attacks on NTP servers have been well studied, attacks on NTP clients are less well understood. In this thesis, we scrutinize the 8 NTP clients across 3 Operating systems and test their resilience against attackers and malicious public time servers. We test all the clients against time manipulation, or time-shift attacks and exploit NTP protocol features to induce a denial-of-service for the client by cutting them off from legitimate time servers. We also analyze how these clients perform in normal operations or do they deviate from the NTP-specification-recommended behavior.

Our research analysis unveils 5 bugs and one vulnerabilities, which we disclose to the vendors. While most of the NTP clients follow the associated NTP standards, there exists a wide diversity in the behavior of all the time clients. While many clients follow the specification and best practices, deviations exist which make some of our attacks successful. In detail, macOS time client
is vulnerable to Time Shift attacks, and NTPD-RS is vulnerable to certain Kiss-of-Death packets which causes it to flood the network with queries and OpenNTPd cannot handle the NTP timestamp rollover. We dive into the design and configuration decisions that make the clients vulnerable to different
attacks, we comment of the potential harm, and we propose mitigation.