Using NTP as a Weapon


The Network Time Protocol (NTP) has been around since 1980, and it has been compromised by hackers. In this interesting article by Harlan Stenn, we learn about the history of NTP, how it is being used (and misused) today, and what the future may hold for this useful protocol.

Depending on where you draw the line, the Internet became useful in 1991-1992 and fully arrived in 1995. NTP version 4 appeared in 1997. Now, 17 years later, IETF (Internet Engineering Task Force) is almost done finalizing the NTP version 4 standard, and some of us are starting to think about NTP version 5.

All of this is being done by volunteers—with no budget, just by the good graces of companies and individuals who care. This is not a sustainable situation. NTF (Network Time Foundation) is the vehicle that can address this problem, with the support of other organizations and individuals. For example, the Linux Foundation’s Core Infrastructure Initiative recently started partially funding two NTP developers: Poul-Henning Kamp for 60 percent of his available time to work on NTP, and me for 30-50 percent of my NTP development work.

On the public Internet, NTP tends to be visible from three types of machines. One is in embedded systems. When shipped misconfigured by the vendor, these systems have been the direct cause of abuse. These systems do not generally support external monitoring, so they are not generally abusable in the context of this article. The second set of machines would be routers, and the majority of the routers that run NTP are from Cisco and Juniper. The third set of machines tend to be Windows machines that run win32time (which does not allow monitoring, and is therefore neither monitorable, nor abusable in this context), and Unix boxes that run NTP, acting as local time servers and distributing time to other machines on the LAN that run NTP to keep the local clock synchronized.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s