Defending Against NTP Attacks: Cybersecurity Must-Haves
By Tom Seest
At BestCybersecurityNews, we help entrepreneurs, solopreneurs, young learners, and seniors learn more about cybersecurity.
In cybersecurity, there are various spoofing attacks that could negatively impact the accuracy of time information sent between clients. It’s essential to understand how these scams operate and take steps to prevent them.
One of the most frequent spoofing attacks involves altering computer systems’ internet clocks. Accurate timing is essential for computers to read and send data correctly.
Table Of Contents
Network Time Protocol (NTP) is a communication protocol that maintains time on computers and other devices that utilize it. It’s widely used across internet-connected devices and services, including web applications, as well as providing the foundation for numerous cryptographic protocols and authentication methods.
However, NTP is vulnerable to attacks that could cause significant disruption and harm to your business. For instance, a malicious NTP server could be used to alter the time on vital infrastructure in an instant.
In such a scenario, you could potentially lose important information and operations. That is why it’s so essential to understand how NTP works and how it can be compromised.
NTP uses public key cryptography and digital signatures to verify the authenticity of packets sent between clients and servers. Additionally, it encrypts a client cookie utilized in responses from the NTP server back to clients.
Cookies are encrypted with an autokey sequence key that is distributed to each client. The server then computes a unique cookie for each client based on this autokey sequence key, their IP address, and a key ID of zero.
A malicious NTP server can alter the contents of PTP packets in transit, thus disrupting the synchronization of all clocks downstream. Examples include jamming GPS signals or falsifying satellite times to target either Grandmaster (GM) and/or Bose Master (BC) clocks in Figure 1.
Another type of asymmetric NTP attack involves altering packet content, either by editing the transmit timestamp or inserting new legitimate-looking packets. This type of attack could potentially result in full denial-of-service conditions.
This type of attack requires a substantial amount of bandwidth to be successful, and it consumes many of your network resources. Therefore, having an effective strategy for combatting NTP DDoS is paramount.
Cloud WAFs that scatter traffic across multiple networks can help limit the impact of an attack like this. Wallarm also offers additional protection by screening and analyzing attack traffic to detect suspicious IP addresses, allowing Wallarm to mitigate the attack before it reaches your organization’s infrastructure.
Man-in-the-middle (MITM) attacks are cyberattacks that involve inserting an attacker into a conversation or data transfer between two parties, allowing them to steal information from one party and send it to the other without their knowledge.
MITM attacks are conducted by cyber criminals using various techniques such as spoofing, eavesdropping, and hijacking. They typically target sites or applications that require login credentials, financial data, or other sensitive information to be processed.
These attacks typically take place on public Wi-Fi networks and web-based services that use an insecure HTTP or HTTPS protocol. In this way, hackers can intercept user data as it passes from a website or application to a server and decrypt it for themselves.
Man-in-the-middle (MITM) attacks are increasingly targeting banks and other financial institutions, providing them with a means to intercept and control client accounts. It may also involve stealing passwords and other sensitive data by intercepting cookies – small pieces of data saved on websites visited by an individual – which are stored on compromised computers.
When a user accesses a banking or financial site, an attacker can spoof the URL and direct them to an unauthentically similar site that captures their data. With this data, they can gain access to both their account and personal details on the real site.
They can then use these credentials to steal bank credentials or money from a victim’s account. MITM attacks are common on banks, but cybercriminals may also target other organizations with sensitive customer data.
Another type of MITM attack is e-mail hijacking, in which malicious actors take over email accounts and communicate with victims to monitor their transactions. They may even impersonate a legitimate bank’s email address and trick the victim into sending them their passwords or other sensitive personal data.
Finally, fake Wi-Fi connections that appear and sound legitimate can be the most damaging type of man-in-the-middle attack; these cybercriminals have the power to control your entire online experience.
To avoid such issues, it’s wise to stay away from free Wi-Fi connections set up by third parties. These can be risky since they’re typically unprotected and thus vulnerable to man-in-the-middle attacks.
Network time synchronization attack (NTSA) is an advanced cyber-attack technique that can be employed by an adversary to disrupt critical infrastructure and steal valuable information. It typically involves spoofing the victim’s IP address and redirecting replies to another server, increasing traffic volume significantly. This is accomplished using NTP protocol which has a high amplification factor, enabling attackers to send small requests that generate large volumes of data for their target’s system.
The NTP packet includes an autokey sequence key that has been cryptographically authenticated using public key cryptography and digital signatures. The NTP server generates this key and distributes it to all clients; the client then uses this key to verify the NTP server’s authentication and authenticity.
Once an attacker gains access to a vulnerable endpoint, they can modify appropriate fields in PTP packets during transit and alter the clock synchronization for all slave clocks downstream. This could either result in slave clocks going into free-running mode (Mizrahi 2014) or create an asymmetric delay.
Cryptographic security protocols cannot prevent such an attack since spoofed messages use identical security keys and originate from a trusted intermediate node. Furthermore, such an attack can be launched by either an external man-in-the-middle attacker (router4) or an advanced internal injector attacker (TC2), as shown in Fig 2.
An internal injector attacker can launch this attack by spoofing their IP address and continuously sending altered Sync/ Follow_Up packets to OC1 and OC2, disrupting clock synchronization for all slaves downstream from BC. Furthermore, protocol redundancy may be compromised or disabled if multiple GMs send infected packets.
An attacker can utilize the replay attack to spoof their IP address and generate massive amounts of web traffic by sending a monist request that is enabled on some NTP servers. This request contains the last 600 source IP addresses from a spoofed request, leading to an amplification factor of around 1 GB per request.
The Network Time Protocol (NTP) is a time synchronization protocol used by computers and other devices to maintain accurate clocks. Without proper synchronization, networks can experience various issues like increased operational costs, poor performance, or security risks due to inaccuracy in timing.
Malicious actors can manipulate NTP packets to increase the amount of traffic sent over a network. These amplification attacks are frequently employed as part of DDoS campaigns, which can quickly cripple an organization’s servers and infrastructure.
This type of attack is most effective when carried out by a botnet with many computers with spoofed IP addresses. With such an abundance of UDP requests with high query-to-response ratios, the attacker can quickly overwhelm the target’s server.
To combat this type of attack, it is essential to disable monlist on NTP servers and implement ingress filtering on networks that permit spoofed IPs. These measures will effectively stop the malicious botnet from launching amplification attacks against an organization’s network as well as help mitigate NTP amplification DDoS attacks.
Man-in-the-middle attacks are also vulnerable to NTP amplification, but due to the synchronization delays required by the IEEE 1588 standard, this type of attack becomes more challenging to execute. If an attacker delays sending out a sync message, their slave clock will receive an incorrect offset; similarly, if a delay request message is delayed, their slave clock also calculates an inaccurate delay (Mizrahi 2011).
An advanced internal injector attack utilizes either an exploit or modified firmware update to gain full control of an NTP device. Once in, they can manipulate clock attributes on the device in order to create a rogue master or interfere with the BMC algorithm. This type of manipulation could lead to compromised GMs and the use of the rogue master’s time reference by all nodes downstream, including OC1 through OC7, except for OC4.
Please share this post with your friends, family, or business associates who may encounter cybersecurity attacks.