‘Network time protocol can be abused for attacks on https and dnssec’
Unencrypted traffic based on the network time protocol can be intercepted, after which the time of clients can be adjusted. This data can be abused in https, dnssec and bitcoin attacks, among other things, researchers claim.
The Boston University researchers describe the ways in which an attacker can intercept traffic to an ntp server and the consequences of adjusting the times. The network time protocol or network time protocol is a 1985 protocol that provides clock synchronization between systems. It was already known that ntp servers can be exploited for ddos attacks and the possibility of man-in-the-middle attacks has also been pointed out. The researchers have now mapped out the various attacks and their implications.
The security and proper functioning of many protocols and programs relies on the correctness of time, they describe. Some applications, such as authentication software and bitcoin, can be messed up by shifting time by a few hours or days, while tls certificates and dnssec, for example, can be attacked by adjusting months or years.
“An NTP attacker who moves a client back in time can cause a host to accept certificates that an attacker fraudulently issued, but have since been revoked,” the report said. By pushing the time on a DNS resolver forward, an ntp attack can cause the cryptographic dnssec validation to fail, causing the resolver and all of its clients to lose connectivity to domains secured with dnssec.
By adjusting the system time of a bitcoin user, a victim could theoretically reject a legitimate block from the blockchain. The blocks contain a timestamp and a validity period of approximately two hours, the researchers note. They point out that while ntp has support for cryptographic authentication, it is rarely used in practice.
In addition to so-called on-path attacks in which traffic is intercepted, the report also mentions an off-path-dos attack. In this case, the attacker spoofs a single kiss-of-death packet from a server: the client then stops the queries at the server and can no longer update its local clock. The kiss-of-death packets are intended to reduce the load on an ntp server if it receives too many queries, but the researchers say they are very easy to spoof.
Boston University has put a page online with tips on how to protect ntp servers and clients from attacks.