Sharon Goldberg remembers the cold February day when her Boston University PhD candidate Aanchal Malhotra was studying routing security, in particular, attacks against the resource public key infrastructure (RPKI)—and kept hitting a dead end because of a cache-flushing issue.
The resourceful Malhotra decided to roll back the time on her computer as a last-ditch effort, and it worked.
“She was able to do the attack and I asked her what she did,” said Goldberg, an associate professor in the BU computer science department. “She said she changed the time with NTP and it worked. We were both saying ‘Whoa.’”
Inadvertently, Malhotra had stumbled across serious security vulnerabilities in the network time protocol used to synchronize computer clocks, that could allow an attacker on a network—say in a man-in-the-middle position—to, at scale if they so wished, roll back time on computers and affect cryptographic calculations, carry out denial of service attacks, or impact the effectiveness of security implementations such as DNSSEC.
“We are extremely surprised no one thought of this as an attack vector,” Goldberg said. “We realized this is a powerful tool to do attacks against other systems that are impacted by time. Most cryptography uses timestamps; they’re there for a reason. If they’re not accurate, it’s a problem.”
Goldberg, Malhotra and fellow BU students Isaac E. Cohen and Erik Brakke published a paper this week called “Attacking the Network Time Protocol” that describes a handful of attacks against NTP that are successful because of insufficient authentication and cryptographic shortcomings that allow an attacker to roll back time and cause various levels of havoc on the Internet.
The vulnerabilities uncovered by the BU researchers can be exploited with various levels of sophistication on the attackers’ part, Goldberg said.
The easiest involves the use of a so-called Kiss-of-Death packet to exploit a rate-limiter built into NTP. The attacker can exploit this situation from anywhere—an off-path attack—by spoofing a single Kiss of Death packet and can stop a client from querying a server for years if the attacker so chooses, and no longer update its clock.
“Because the attacker need only send a few Kiss-o’-Death packets per victim client, standard network scanning tools (nmap, zmap) can be adapted to very quickly launch this attack, in bulk, on most of the ntpd clients in the Internet,” Goldberg et al wrote on the project’s portal. The page also includes extensive mitigation advice for patching NTP servers and clients.
Goldberg said that such an attack can be done at scale by scanning the IPv4 address space and listening for responses from vulnerable servers. The patch rolled out this week from the keepers of NTP makes it much more difficult to construct a Kiss of Death packet, Goldberg said.
Goldberg said most of the previous work around attacking NTP involves man-in-the-middle attacks, including a paper done for Black Hat last summer by Jose Selvi using NTP to bypass HSTS protections. Goldberg and the students used one of Selvi’s tools, Delorean, in their research.
“What’s been happening the last couple of years is that there’s been more work on off-path attacks. Off-path attacks don’t intercept traffic, it’s just someone with a computer sending packets,” Goldberg said. “It’s a much scarier threat model.”
The researchers also describe in their paper a denial of service attack where even if the Kiss-of-Death packet vulnerability is patched, an attacker could still use the packet to disable NTP on the victim’s client.
“Here, the attacker elicits a valid KoD packet from the client’s preconfigured servers by ‘priming the pump’, i.e., sending the servers a high volume of queries that are spoofed to look like they come from the client,” they wrote. “The servers then start rate-limiting the client, responding to each of its subsequent queries with a valid KoD packet. Upon receipt of the KoD, the client stops querying its servers, and can no longer update its local clock.”
A third attack requires an attacker be in man-in-the-middle position and able to hijack traffic to an NTP server using BGP or DNS hijacks. The attack rolls back time on the server’s clients that circumvents a 16-minute panic threshold built into NTP and allows an attacker to manipulate the client’s cache and cause, for example, a cryptographic object to expire, they wrote.
The final attack is carried out by an off-path attacker and also rolls back time on the client side by exploiting problems in IPv4 packet fragmentation, the researchers wrote.