Assessment of Network Time Protocol (NTP) vulnerabilities

NTP is one of the oldest protocols designed to synchronize time between computer systems and the internet. Time plays a crucial role in the security of a system and is often ignored. Therefore, we can launch a replay attack as well as Denial of Service attacks by altering the time. Attackers only search for vulnerabilities in a system and attack if a loophole is found whereas in case of NTP, it is most vulnerable and attackers can launch attacks or hack into some software’s working on NTP which almost every software does. The attack on an NTP server may trigger serious issues, it can misalign machines causing malfunctions, it can allow the authentication of entities using expired credential or digital certificates. Many DoS and DDoS attacks are possible depending on the factor whether the device knows the correct time or not. It can also decide whether a certificate is still valid or not. Even nowadays many servers provide time to their clients without any authentication, and those who provide authentication using their standards do not analyse data or they require a pre-shared key or are vulnerable to password theft attacks. Most of the clients have NTP server address hard coded in their firmware.

In October 2002, one of these attacks was launched on one of the web servers in Trinity College, Dublin. It was traced that the server was bombarded with a program Tardis with thousands of copies around the world and then it contacted the web servers across the world and obtained Timestamp from HTTP servers. Since hackers are mainly making use of this protocol to launch a DoS attack or any replay attack, this project will assess various vulnerabilities related to NTP protocol and design a defence mechanism so as to protect any useful information and also prevent the servers from going down under the impact of malicious intent of any hacker.

Since hackers are mainly making use of this protocol to launch a DoS attack or any replay attack, this project will assess various vulnerabilities related to NTP protocol and design a defence mechanism so as to protect any useful information and also prevent the servers from going down under the impact of malicious intent of any hacker. Since NTP is such a protocol that keeps lurking in the background of many systems and any changes made to it can cause various applications that use this protocol to stop or malfunction.

The current system has the feature that the client can sign any packet before sending and receiving whereas in our solution only the broadcast server should be able to sign broadcast packets.

Till now I have performed 2 attacks-

1- MITM attack using SSL Striping by time-shifting

In this first, we would be creating a fake NTP server. You can create one if you want or else use many servers already available. In this project, I have used Delorian server. Then Configure the server to send the time in future. Rest steps you can see in the algorithm included in this report.

SSL/TLS is a protocol used to send or receive sensitive information and is used mainly for banking, login page and email correspondence. It creates a secure connection between the two parties(usually a client application and a server). Browsers and web servers regularly use this protocol when a secure connection is needed. 

The following events in order are done when we connect to the https website-

The user sends an unsecured HTTP request.

The server answers via HTTP and redirects the user to a secure protocol (HTTPS).

The user sends a secure HTTPS request, and the secure session begins.

In order to “strip” the SSL, an attacker intervenes in the redirection of the HTTP to the secure HTTPS protocol and intercepts a request from the user to the server. The attacker will then continue to establish an HTTPS connection between himself and the server, and an unsecured HTTP connection with the user, acting as a “bridge” between them.

2- NTP Reflection attack

NTP is a UDP based protocol, that is often set up in an unsafe manner. This allows attackers to attack its integrity. The request packets to fake NTP server are captured, saved and edited. The edited packets will then be sent to the victim in large numbers. For this, we will be writing a script. We will be monitoring the CPU and memory usages. Under normal conditions, CPU usages are almost equal to 0 per cent. The CPU usages hike up after we run the script and bombard a large number of packets. This will work as a DoS attack.

The sole aim of this project was to deliver the end-user a defence system that could tackle such vulnerabilities. We also would search for more vulnerabilities and different ways that how a false packet can be crafted. In this project, until now I have tried many Vulnerabilities that are NTP attack prone. I have launched SSLStrip attack, Man in the Middle attack, Time-shift attacks and also NTP reflection attack that is a DoS attack.

The remaining work is to search for a few more vulnerabilities and then sniff and analyze packets at the server end. I will be making a script that could sniff such packets and drop them. I will also plan to make a GUI so that any incoming packet can be analyzed by the end-user without actually having to write commands.

This project was taken up as part of my capstone project. The project idea was given by my faculty Dr Mayank Swankar. Special gratitude to him whose contribution in providing his valuable guidance and support, stimulating suggestions and encouragement, helped me to coordinate my project with different research papers and also helped me to design a defence mechanism for the same. I would also extend my vote of thanks to our Head of the Department, CSE Bennett University, Dr Deepak Garg for motivating me throughout this project. I would also like to thank Dr Sanjeet for keeping track of my progress.