Abuse and abuse of NTP servers includes a number of practices that cause damage or degradation to Network Time Protocol (NTP) servers, ranging from flooding with traffic (effectively DDoS attacks) or violating server access policies or NTP engagement rules. One incident was stamped NTP vandalism in an open letter from Poul-Henning Kamp to the manufacturer of D-Link routers in 2006. The term was later extended by other parties to retroactivity including other incidents. However, there is no evidence that these problems are deliberate vandalism. They are usually caused more by a naive or poorly chosen default configuration.
A deliberate misuse of the NTP server comes to be recorded by the end of 2013, when the NTP server is used as part of an additional service-denial attack. Some NTP servers will respond to a single UDP "monlist" request packet, with packets explaining up to 600 associations. Using a request with a fake IP address spreader can redirect a reinforced packet flow to the network. This resulted in one of the largest distributed denial-of-service attacks known at the time.
Video NTP server misuse and abuse
Ordinary NTP client issues
The most troublesome issue has involved the encoded NTP server address in the consumer network device firmware. Because large manufacturers produce hundreds of thousands of devices and since most customers never update the firmware, any issues will remain as long as the device is in service.
One common software mistake is to create query packets at short intervals (less than five seconds) until the response is received. When such an implementation finds itself behind a firewall that blocks the server response, it results in a never-ending client request flow to the NTP server. Overzealous clients (especially those polling once per second) typically make up more than 50% of the public NTP server traffic, even though it is a very small part of the total client. While it makes sense to send some initial packets at short intervals, it is important for the health of any network that client reconnection efforts are generated at an exponentially decreasing rate to prevent denial of service. This applies to all connectionless protocols, and many parts of the connection based protocol. Examples can be found in the TCP specification for connection establishment, zero-window probing, and keepalive transmission.
Maps NTP server misuse and abuse
Famous cases
Tardis and Trinity College, Dublin
In October 2002, one of the most recognizable cases of time server abuse caused problems for web servers at Trinity College, Dublin. Traffic is eventually tracked to the wrong copy of a program called Tardis with thousands of copies worldwide that contact the web server and get a timestamp via HTTP. Ultimately, the solution is to modify the configuration of the web server so as to provide a customized version of the home page (greatly reduced in size) and return a false time value, which causes most clients to choose a different time server. The latest version of Tardis was later released to fix this problem.
Netgear and University of Wisconsin-Madison
The first known case of NTP server problems began in May 2003, when Netgear hardware products flooded the University of Wisconsin-Madison NTP server with demand. The university staff initially thought this was a dangerous distributed denial of service attack and took action to block floods on the border of their network. Instead of abating (as most DDOS attacks do) the flow increases, reaching 250,000 packets per second (150 megabits per second) in June. Subsequent investigations revealed that four models of Netgear routers are the source of the problem. It was found that SNTP (Simple NTP) client on the router has two serious flaws. First, it relies on a single NTP server (at the University of Wisconsin-Madison) whose IP address is hard in the firmware. Secondly, it polls the server at intervals of one second until it receives a response. A total of 707,147 products with wrong clients are produced.
Netgear has released firmware updates for affected products (DG814, ​​â € <â €
Also in 2003, another case forced NTP servers from the Commonwealth Scientific and Industrial Research Laboratory of Australian Commonwealth Research (CSIRO) to approach the public. Traffic is shown to be from a poor implementation of NTP across some SMC router models where the IP address of the CSIRO server is embedded in the firmware. SMC has released firmware updates for the product: 7004VBR and 7004VWBR models are known to be affected.
D-Link and Poul-Henning Camp
In 2005 Poul-Henning Kamp, the only Num Stratum 1 Danish server manager available to the general public, observed a major increase in traffic and found that between 75 and 90% came from D-Link router products. Stratum 1 NTP servers receive their timing signals from an accurate external source, such as a GPS receiver, clock radio, or calibrated atomic clock. By convention, Stratum 1 servers should only be used by applications that require very precise time measurements, such as scientific applications or Stratum 2 servers with a large number of clients. The home network router does not meet any of these criteria. Additionally, the Camp server access policy explicitly limits to servers that connect directly to Danish Internet Exchange (DIX). Direct use of this server and other Stratum 1 servers by D-Link routers resulted in major increases in traffic, increasing bandwidth costs and server load.
In many countries, official timeliness services are provided by government agencies (such as NIST in the US). Since there is no Danish equivalent, Kamp provides a "pro bono publico" "time service. In return, DIX agrees to provide a free connection for the time server assuming that the bandwidth involved will be relatively low, given the limited number of servers and potential clients. With an increase in traffic caused by a D-Link router, DIX requested that he pay an annual connection fee of 54,000 DKK (approximately US $ 9,920 or EUR7,230 ).
The camp contacted D-Link in November 2005, hoping that they would fix the problem and compensate for the time and money they spent to track the bandwidth issues and costs caused by D-Link products. The company denied any problems, accused him of extortion, and offered some compensation that Camp said did not cover his expenses. On April 7, 2006, Camp posted a story on its website. The story was taken by Slashdot, Reddit, and other news sites. After going public, Kamp noticed that the D-Link router was directly inquiring about another Stratum 1 time server, violating the access policy of at least 43 of them in the process. On April 27, 2006, D-Link and Kamp announced that they had "settled peacefully" their disputes.
IT providers and swisstime.ethz.ch
For over 20 years, ETH Zurich has provided open access to the swisstime.ethz.ch time server for synchronization of operational time. Due to excessive bandwidth usage, averaging over 20 GB/day, it becomes necessary to redirect external usage to a public time server pool, such as ch.pool.ntp.org. Abuse, mostly caused by IT service providers that synchronize their client's infrastructure, has made very high demand on network traffic, thus causing ETH to take effective action. In Autumn 2012, the availability of swisstime.ethz.ch has been changed to closed access. Since early July 2013, access to the server has been completely blocked for the ntp protocol.
Snapchat on iOS
In December 2016, the community of NTPPool.org operators saw a significant increase in NTP traffic, beginning December 13.
Investigations indicate that a Snapchat app running on iOS is vulnerable to requests for all all hardcod NTP servers to third-party NTP iOS libraries, and that requests to Snapchat domains follow the flood of NTP requests. After Snap Inc. contacted, their developers resolve the issue within 24 hours of notification with updates to their app. As an apology and to help handle the load they produce, Snap also contributes time to the Australian and South American ntp pools.
As a positive side effect: the NTP library used is open source, and the error-prone default settings are fixed after feedback from the NTP community.
More information can be obtained from the incident log of ntppool
Connectivity test on expansion of TP-Link WiFi
Firmware for the expansion of TP-Link WiFi in 2016 and 2017 encoded five NTP servers, including Fukuoka University in Japan and the Australian and New Zealand NTP servers, and will repeatedly issue one NTP request and five DNS queries every five seconds consuming 0.72 GB per month per device. Excessive requests are misused to power Internet connectivity checks that show the device connectivity status in their web administration interface.
This issue is acknowledged by the TP-Link branch in Japan that prompted the company to redesign the connectivity test and issue a firmware update addressing this issue for the affected device. The affected device may not be installing new firmware as the Wi-Fi extension of TP-Link does not automatically install firmware updates or they do not notify the owner of the availability of firmware updates. The availability of the TP-Link firmware update also varies by country although this issue affects all the globally-sold WiFi range climbers.
The Fukuoka University server is reportedly shutdown between February and April 2018, and should be removed from NTP Public Time Server Lists [1].
Technical solutions
After this incident, it became clear that in addition to declaring a server access policy, technical means needed to enforce the policy. One such mechanism is provided by extending the semantic field of the Reference Identifier in the NTP packet when the Stratum field is 0.
In January 2006, RFC 4330 was published, updating the details of the SNTP protocol, but also temporarily clarifying and extending the related NTP protocols in some areas. Sections 8 through 11 of RFC 4330 have special relevance to this topic (Kiss-o'-Death Packages, Being Good Network Citizens, Best Practices, Security Considerations). Part 8 introduces the Kiss-o'-Death package:
In NTPv4 and SNTPv4, such packages are called Kiss-o'-Death (KoD) packages, and the ASCII messages they convey are called kiss codes. KoD packages get their name because the initial use is to tell the client to stop sending packets that violate the server access control.
The new requirements of the NTP protocol are not retroactive, and old clients and implementations of earlier protocol versions do not recognize the KoD and act upon it. For now there is no good technical means to counter the misuse of NTP servers.
References
External links
- Trinity College Incident
- SMC/CSIRO incident
- Poul-Henning open letters Camp for D-Link (changed on April 27, 2006)
- Copy of Poul-Henning Original Camp to D-Link (from 23 April 2006)
- When Firmware Attacks! (DDoS by D-Link) by Richard Clayton
- OSnews articles on "NTP vandalism"
- Engadget on "NTP vandalism"
Source of the article : Wikipedia
0 Comments