The Misuse and Abuse of NTP Server Systems by aihaozhe2


									Network Time Protocol (NTP) is a standard Internet protocol for the dissemination of
time around a computer network. The protocol operates in a hierarchical manner, each
level or stratum serving the next level in the hierarchy. At the top of the hierarchical
structure is a stratum 1 NTP server that synchronises to an external time and
frequency reference. Many stratum 1 NTP servers reside on the Internet and are used
for synchronising network time clients.

There have been a number of reported problems of network time server misuse or
abuse. This article discusses some of the reported NTP time server abuse incidents
and describes NTP configuration methods that can reduce such problems. Most
incidents seem to have occurred due to manufacturer configuration issues rather than
malicious intent.

Many NTP server misuse issues have arisen from client configuration errors,
particularly in consumer electronic equipment. Due to the volume of consumer
electronic equipment manufactured and in-use, any configuration issues with
equipment that access NTP time servers can greatly magnify problems. Typically,
clients with configuration errors or firmware bugs that cause repeated access to a
network time server can cause server loading problems when a large number of clients
are involved.

A recent high-profile incident of consumer electronic equipment causing NTP server
problems was with consumer router equipment. Home router devices were accessing
stratum 1 Internet time servers and flooding them with requests for time. Many NTP
time server administrators noticed a large increase in traffic and server loading. Many
stratum 1 NTP servers have an access policy that forbids anything other than a
stratum 2 server from requesting time. Home router equipment should not therefore
directly access a stratum 1 time server.

In a separately reported network time server misuse case, an Internet based NTP
server was being bombarded by ever-increasing volumes of traffic. It was initially
thought that this was due to an attack on the server. However, the amount of traffic
continued to rise over time rather than decrease. Eventually, it was found that a
number of router devices manufactured by a well-known network equipment
manufacturer had hard-coded the IP address of the time server into the routers
firmware. Each router in operation was contacting the server at regular intervals in an
attempt to synchronise time. The volume of devices in operation eventually
overloaded the server.

The NTP protocol implements a rather general-purpose address mask restricted use
policy. This allows only IP addresses within a specified range or that fit a specified
address mask access to a NTP time server. Alternatively, clients can be excluded from
access by explicitly including them in a restriction list. Rogue clients can therefore be
excluded access to the NTP server by explicitly restricting access.
Usually, the server drops NTP requests that are denied access. However, occasionally
a harsher response is required. The server can respond with a message explicitly
requesting the client to cease sending. A special packet has been created for this
purpose called the 慿 iss-o-death' packet. Kiss codes can convey useful information to
an intelligent client. The character string codes are designed for easy viewing in log
files and convey denial of service messages. When a client receives a 慿 iss-o-death'
packet, it should stop sending to a particular server and locate an alternative server, if
available. If no alternative server is available, the client should delay for an
exponentially increasing time before retrying the server.

To top