Our blog

11 things you need to know about NTP security


13 April 2017

Peter Negus

Blogs by author: Peter Negus, Solutions Architect, BT.


Network Time Protocol (NTP) plays an important role in securing web transactions, and is a potent attack vector. Here’s what to look out for.

You're probably familiar with the need to timestamp security logs from an accurate time source. That time source is normally an NTP server. But NTP plays a far more important role — controlling the use of digital certificates, the foundation of web security. What’s more, it's also capable of being used in vicious DDoS attacks. An insecure NTP source can be an attacker's dream.

To give you an idea of just how important a role NTP plays in your IT, here are 11 talking points that your organisation needs to be aware of.

1. Bad time can kill your web traffic.

Every time you make a new HTTPS connection, the client checks that the certificate is valid. Each certificate has a valid date range and, if the system clock is outside of that range, then your connection is toast.

Many systems, including Windows, use Kerberos login authentication. This tries to protect you against replay attacks — where someone has captured your login with a sniffer and replays it to gain access. The most common example of this sort of attack is where people sniff the signatures from car remote locking systems and then replay them to open the doors. To prevent this, Kerberos access tickets have a limited window of validity — as little as five minutes. If your time on the client or server differs by more than this window you simply cannot login, because the ticket has timed out.

2. Your NTP server could compromise your DNS.

You might find that your existing NTP service runs on the same servers as the DNS, and that the NTP UNIX daemon is linked to an Internet time source. This has some major problems:

Someone can spoof that source.
A UDP ‘hole’ is created in the firewall, allowing DDoS attacks.
Attacks on the NTP daemon — stack overflow, for example — can compromise the DNS environment.

All of these are potentially disastrous vulnerabilities in your security architecture.

3. It's better to provide a separate, professionally managed server.

It's relatively cheap to provide a standalone NTP server using a Linux box and GPS receiver. The security problem with this is that the Linux needs hardening, vulnerability management and regular patching to maintain security. It's generally better to use a pre-hardened appliance if you can afford one with built in management controls. Remember: pre-hardened appliances are also better able to withstand DDoS attack.

4. You need resilience from at least two servers.

NTP servers exist in a hierarchy. One way of providing resilience is to use your routers as slave NTP servers. The problem with this is, if your main source goes down, a router clock can drift pretty quickly. The best solution is to have at least two primary servers.

5. You have a choice of NTP providers.

There are, at present, two NTP satellite networks used by commercial receivers — the GPS (USA), and GLONASS (Russia). You can lock your two receivers to different sources to provide resilience against a political event. Soon you will have a third choice — Galileo (EU) — which will go into full commercial operation in 2019, although it's partially in service now.

6. Incorporate your NTP servers in your network access control.

You definitely want to know if someone has accessed your NTP server. Most commercial NTP servers support RADIUS centralised access control, which can be controlled by the same system that oversees access to your routers and switches — typically a product like Cisco ISE. Of course, as you’re a good security manager, you’ll have ensured that the logs are securely stored off-box from the main access control server.

7. Put your NTP servers on your Simple Network Management Protocol (SNMP) manager.

An SNMP manager will tell you whether the server is active, whether it has a problem with its source, and how many connections are active (potentially indicating a DDoS attack). You'll normally have to get a specialist Management Information Base (MIB) loaded onto the SNMP manager. It's also a good idea to use SNMPv3, which has better authentication than earlier versions.

8. Guard your source against satellite spoofing.

Attacks are possible on your GPS source by spoofing the satellite signal, which is relatively weak by the time it has travelled 20,000 km from space. You can also be GPS DDoSed by intentional or accidental interference.

A good first step is to place your antenna out of sight from the ground, on the roof of your property. You might need your landlord's permission for this. A lot of commercial appliances support dual diversity antennas, which are better protected against interference.

If you want to be really secure, you'll only sync the server to GPS every so often, and run the system locally from a high-stability clock for the rest of the time.

9. Use authentication with your NTP servers.

NTP has a rather weak authentication system using MD5 hashes. It's not entirely hacker-proof, but is better than no authentication at all. It takes place on the client, and is optional, so devices that don't support this authentication can still use your time source.

10. Provide NTP DDoS protection.

NTP is used in a class of DDoS called reflection attacks. This is when a botnet of many thousands of PCs sends NTP requests to multiple hosts with the IP address of the attacked system. The NTP servers serve up thousands of NTP replies to the poor victim. Modern DDoS protection products, which you can buy as a cloud service, also identify and mitigate these attacks.

11. Prepare for the new millennium bug in 2036.

Those of you who were around in the Year 2000 will remember that tension when the year clocked round to 00/00/00 (or 00/00/2000 in your newly patched system!). The good news is that you only have to wait 20 years for the next one, when NTP goes into wraparound. This may sound a long way off, but if you’re designing one of the new Internet of Things (IoT) applications, such as smart metering, your system may still be around in 2036, so it’s worth thinking about.

Make the Cinderella of security go to the ball.

To sum up, NTP is often neglected, and yet NTP problems can destroy a modern IT service. It needs the same sort of attention that’s paid to your most critical servers, and needs professional monitoring throughout its lifetime. So sort out that NTP security, and then you'll have the time to relax.

To find out how BT can help your organisation stay secure, here’s where to look.