Follina a silent Client-Side


Twitter Facebook linkedin

Forgotten Protocols: NTP (Network Time Protocol)

There are some forgotten protocols in our networks and systems. They are difficult to work with due to lack of knowledge about them, and perhaps they are a foundation stone for the construction of the services that are provided.

In some cases, we trust that they are safe or we also think that the focus of the attackers will always be located on the well-known Crown Jewels, but we never stop at that moment of decision to determine if they should be included or not due to its criticality within these categories. Perhaps they go unnoticed because we trust that they are safe, but trust is not the same as awareness.

Being aware of all the services that our teams handle is a daunting task, but at some point we should start exploring them in greater depth.

Why is time so important?

Imagine this: You need to take a bus at a specific time; You walk to the bus stop and wait for it. After that, you look at your watch and see that it is time, but the bus has not arrived yet. At that moment it's time to look for another device, such as the telephone, to have a second source of time, at that moment you realize that the time is incorrect. If you have an important appointment or commitment, you wouldn't make it on time.

Now, when talking about systems and applications that require other applications to work, a correct time setting is needed.

imagen ilustrativa

Without timing, automatic processes and processes that take place in real time will not work correctly. There are many entities, generally financial, that work with real-time tasks, because when it comes down to money, things become a little more complex than usual; For example: If you were working for a bank, there are processes that must be executed at a specific time, at the end of the day because entities often communicate with other banking entities around the world to update each other using certain information. If the automation of this process is not done on time, it could create legal issues with other banks and trust could be lost. In a bank, trust is the most important thing you need.

Why is the attack vector the timing?

Let’s go back for a second to the cybersecurity principles: An attacker usually targets the four pillars that build our need to feel safe; these are CONFIDENTIALITY, AVAILABILITY, INTEGRITY and TRACEABILITY. A There we highlight important points where time is the protagonist, since we have several aspects that are of interest to attackers and not so to people who have the objective of protecting a company's resources. The common focus of analysts often lies in the concern to maintain the CONFIDENTIALITY , then professionals list their most favorite Crown Jewels, focusing on that specific property, leaving out important issues that can harm us in the short term.


imagen ilustrativa


In the absence of attention to the TRACEABILITY and the AVAILABILITY On the part of those responsible for security, certain ideas could occur to try to hinder the operations in order to generate obstacles to the processes of a successful company. That is why when attacking the timing key benefits can be obtained at the attacking level, both to cover your tracks and also to perform a diversionary maneuver within the potentially affected facilities.

The protocol that is in charge of this in the systems of a company is the NTP protocol (Network Time Protocol), it is used to carry out a synchronization of the clocks in the different interconnected devices in the configuration scope of this service. Works with UDP via port 123 and is widely used in networks worldwide, both internal and public. Its importance resides, as we already mentioned in the previous paragraphs, in the fact that the lack of time synchronization, for a long time in a system, affects the consistency and integrity of the information, which has serious repercussions in areas such as finance, productive, legal and a long etcetera.

imagen ilustrativa

In the previous graph we can see how the protocol works, we have an external satellite synchronization reference, then in the next instance there are primary servers that take this synchronization, to later transfer it to secondary reference servers that will be consumed among the potential clients of this information. Ultimately, they manage to share these references with each other.
Among the vulnerabilities that we can find in this type of protocol that brings with it a lot of exchange, we find several points of failure regarding them, such as the following;

  • The weaknesses or failures of the protocol
  • ⦁ Deficiencies when building the protocol mean that some functions designed for a type of management end up being detrimental to the purpose of the protocol itself.
  • The interactions of the protocol with other systems and/or protocols
  • ⦁ Manage to cut the interactions so that the connections lose a certain type of synchronism.
  • The timeline before an audit
  • ⦁ All digital evidence based largely on the timestamp, without the timestamps cannot be combined between the evidence, we are facing a serious problem that perhaps does not have a way of solving, because the evidence occurs in a given time interval and cannot be regenerated. Example: If someone performs tasks, which are later digital evidence, with a manipulated time, the time that will prevail is that. We will never be able to reconstruct the real time of the action.
  • The integrity of the information
  • ⦁ Allow an attacker to lie about the time I am performing a transaction in order to bypass application protection mechanisms. Example; An application that relies on the exact time to determine the validity of a license or force the expiration of a local certificate.
What are the most popular attacks?

Among the best-known attacks that we found referring to the potential points of failure mentioned above, we found some known techniques that could help an attacker to generate these symptoms about the use of NTP servers.

⦁ NTP Amplification Attack

Mainly, They are associated with vulnerabilities that correspond to point 1 of the previous paragraph, where we referred to protocol flaws.

These vulnerabilities are related to certain commands used for protocol management and monitoring. We are talking about two particular commands that are intended to perform the following functions:

Moonlist : It returns a list of the last 600 devices that have communicated with the server. A small request is made to the server and an answer is received that can reach a size 200 times greater than the query carried out.

Readvar: A command that, when executed, returns variables, with their content, causing a response superior to the query made. In this case, 30 times higher than the original query.

Attackers make these requests in large numbers, forging the source address to pretend to be the server they want to disable. Resulting in the situation in which the victim computer, without requesting it, receives NTP responses with an amplification of 30 times and/or 200 times depending on the function used, causing a flood of NTP responses. Thus affecting the availability of services that require connectivity through it.

imagen ilustrativa

Image taken from

⦁ NTP Spoofing (Through ARP and/or DNS)

Although it is not a vulnerability of the NTP service itself, we could achieve it with a classic man in the middle attack targeting our NTP servers. In this case, a combination of techniques can allow us to send a different time to the computers that are requesting the time from the main NTP server. Among the ways to classify a vulnerability, it could also be classified as a misuse or abuse of the protocol in question.

In this case, ARP Spoofing could be done, intercepting NTP frames and misforming it with an incorrect synchronization time in order to alter the Timestamps.

As most of the attacks are focused on more interesting protocols, there are not many automated methods to do this, you could if you write a script that performs the following steps;

  • Perform ARP-Cache-Poisoning.
  • imagen ilustrativa

  • Position our machine between the target and the gateway.
  • imagen ilustrativa

  • Listen to the NTP responses that the gateway sends to the target.
  • Modify the Timestamps and re-send them.
  • imagen ilustrativa

A very important utility to do this is the Python’sScapy library for handling packages. Although before programming it, it is always convenient to carry out a Google search to find solutions already worked on by some kind researcher, as in the following example;

Now if we want to execute the same task with DNS poisoning , we simply have to indicate through our malicious DNS that the NTP server is a server manipulated by the attacker, where it will provide an incorrect time for time synchronization.

How do we defend ourselves?

Although in the case of protocol failures we can eliminate insecure functionalities in order to carry out a respective Hardening of the protocol, detection and monitoring should be a fundamental part of any remediation instance. Already the simple fact of becoming aware of the existence of the protocol will make it possible to start creating alerts according to a malfunction of our NTP server.

In the case of amplification attacks;

  • Disable the monlist and/or reader command; All versions of the NTP software prior to version 4.2.7 are vulnerable by default. Upgrading an NTP server to version 4.2.7 or higher disables the command, which fixes the vulnerability. If this update is not possible, the administrator of a server can make the necessary changes by following the instructions of the US-CERT.

  • Verify source IP; Ask the ISP provider to implement ingress filtering where packets are checked for being sent from within the network with a source address that makes it appear to originate from outside the network or implement this filtering on our edge firewall.

  • Deploy NTP servers behind firewalls; Detect and filter requests directed by UDP to the NTP server port and have an anti-spoofing configuration. The latter should consult the specifications of their firewalls on the page of the corresponding manufacturer.

  • Limit the visibility of the NTP server on the Internet; Referred to minimizing the exposure of our NTP servers to the Internet.

  • Define or write an action protocol in the event of a denial of service by NTP; How to act, what to do, which is our contingency in these cases, they are issues that should be established to be able to execute an instant solution in the event that time is compromised in our networks. Following a protocol is essential, given that we can define rules of action for the incident management team.

In the case of spoofing attacks;

  • Having our security measures at the LAN level always active helps us to monitor, among other things, malicious traffic that is sent between the devices on our NETWORK, although blocking attacks from outside towards our architecture is usually a simple task, if we have the correct measures preventive measures at the edge of our network, we must not stop losing focus that our internal network has to be robust enough to be able to detect and prevent these potential anomalies associated with protocols that are usually neglected.
  • Generate Alerts by analyzing our NETWORK and DATAFLOW, as shown in our post where they are detailed how to use flow data for monitoring.
  • Segment the network correctly in order to contain attacks outside of our Crown Jewels (productive servers, critical applications, workstations with critical access, etc.).

Based on all the topics we discussed, it is almost essential to know all the essential protocols for the operation of our systems. Many times we are going to miss minimal issues that sooner or later bring us a huge headache when it comes to wanting to fix a problem in real time. Not only the measures to be taken are important, but also the previous planning and rehearsal on rare issues that may be infrequent for one's perception, but not so for the point of view of the attacker who is mutating and lurking constantly. Let's not let the attackers catch us off guard.

“Whoever is first in the field and awaits the coming of the enemy, will be fresh for the fight; whoever is second in the field and has to hasten to battle will arrive exhausted.”

Sun Tzu - The Art of War