Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Topics Map > University of Chicago > IT Services > Applications, Operating Systems, & Devices > OS

Network Time Protocol (NTP) Secure Use

This article describes steps to identify and correct default installations of the NTP service on unix-like systems, which are vulnerable to misuse as part of a Denial of Service attack.

Description of the Problem

In late 2013, there was sharp increase in the number of attacks using unix-like systems running default installations of the Network Time Protocol (NTP) service. NTP is a complex protocol used to synchronize system time between computers. The vast majority of systems only need NTP's client functionality, i.e. to contact a pre-configured list of trusted NTP servers (see KB article 19499 for campus servers) in order to set the local system time.

Until recently NTP by default allowed any remote system to query for NTP-related statistics. A small network query could potentially return a large network response. Since NTP uses UDP it is possible to spoof the sending IP address. Attackers who want to launch a Denial of Service (DOS) attack send a small query to a vulnerable NTP server, forging the source IP address in the request. The NTP server sends a large response to the forged IP. Attackers can use multiple NTP servers to send a relatively small amount of traffic that creates an exponentially larger amount of traffic to be sent to someone else. This is known as an amplification distributed denial of service attack or NTP amplification attack.

Identifying Vulnerable Systems

Standard NTP command-line utilities provided with NTP itself can be used to identify whether a system is vulnerable (ntdpc and ntpq). Testing guidelines:

  1. Since localhost access to query the NTP service is often allowed (and not a problem) testing your system locally may give false positives -- instead, please test from another unix system.
  2. Run both tests multiple times to verify your results.
  3. Secure systems will either time out without responding or return a succinct error message. Vulnerable systems will return detailed results.

For example, to test from "other-system" run both of these commands, wait 30 seconds and run them again:

other-system$ ntpdc -c monlist <hostname-or-ip-of-system-to-test>
other-system$ ntpq -c readvar <hostname-or-ip-of-system-to-test>

If you have any questions about interpreting the results you can consult the documents listed under More Information below, or contact IT Security.

Solution

There are two possible recommended solutions: reconfiguration and/or NTP upgrade. Reconfiguration is most likely the simplest and surest. Please adapt these recommendations to your particular needs. Consult your system man pages for ntp.conf or the links provided below for more information.

  1. Add the “noquery” directive to the “restrict default” line in the system’s NTP configuration (see below)
  2. Upgrading to NTP version 4.2.7 or greater is sufficient on most but not all systems (in particular it does not seem to be sufficient for some BSD-derived systems).

recommended configuration for "restrict default" in /etc/ntp.conf should include:

# Default policy prevents queries 
restrict default nopeer nomodify notrap noquery

More Information

See Also

Network Time Protocol (NTP)




Keywords:ntp_amplification_attack, ntp_dos, ddos, unix, security, configuration   Doc ID:37208
Owner:James C.Group:University of Chicago
Created:2014-01-31 12:54 CDTUpdated:2017-04-05 08:59 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  0   0