[time-nuts] When NTP goes wrong...

Sun Oct 25 16:58:21 UTC 2015

Am Sun, 25 Oct 2015 13:34:43 +0000
schrieb Wojciech Owczarek <wojciech at owczarek.co.uk>:

> I think this is a classic case of confusing application security with
> network security. The whole idea relies on spoofing packets. A
> spoofing scenario is only realistic in a lab setting. Or in case of a
> physical takeover of a circuit, which - well, then you have more
> important things to worry about, and please show me an actual
> existing case.
> 
> The series of off-path attacks described are off-path only because
> they don't require intercepting previous communication, but they
> still require spoofing. Theoretically any application using a
> connectionless protocol like UDP suffers from this "vulnerability" to
> spoofing one way or another. My personal favourite statement "on a
> properly designed network..." usually negates most of those.
> 
Umm, well, I agree partially. Spoofed packets are unfortunately not
as rare as one might think.  Sure, in many cases they're easy to detect
and are dropped routinely by most ISPs. But once they're out in the
wild, they're virtually impossible to tell from legitimate packets. The
reference to "properly designed networks" excludes the case where one
depends on external servers of higher stratum than what is available
within the network under your control. A properly designed network
implies full control over it, which is hardly achievable once the public
internet enters the picture. As soon as two or more transit networks are
encountered - which isn't too uncommon and which usually are not under
your control - all odds are off.

> PHK - as you say, the only cure is to have your own NTP servers, and
> any serious organisation out there does.
> 
If I'm not mistaken, the requirement is a bit more strict, as one would
need a reliable chain to stratum 1. Running your own stratum 1 server(s)
probably would be the preferred solution. But already a not too fancy
configuration of a lower stratum server makes the attack pretty
unlikely as one would need to spoof packets from the majority of
upstream servers. The parts that likely are least protected from this
kind of attacck isn't so much organizations but rather Joe Average, who
doesn't have the knowledge to mitigate things. And those mostly are not
the target of an attack of this kind.

> The paper definitely has some research value, but in my opinion the
> negative publicity generated by this is overblown and undeserved. One
> thing I will agree with, is that there are too many random NTP
> servers out there which are dusty boxes sitting somewhere in the
> broom cupboard, running ancient software. However, all those
> vulnerable public NTP servers are vulnerable if you're sitting next
> to them.
> 
I have a similar feeling, the reported attack vector has more of an
academic value than actually posing a real threat. Therefore the
attention it generated is a bit over the top. Having a working
authentication mechanism that also works for the general public I'd
still consider to be a desireable feature. Not so much because NTP is
unreliable, but because I feel that authentication is generally a must
nowadays. But that's just my personal opinion.

Best regards,
Florian