There have been an increasing number of attacks on Unix-like systems that run default installations of the Network Time Protocol (NTP) service. This is vital information for the UChicago IT community because the University has three NTP servers on campus. Luckily, there are solutions to help if attacks occur and tips to identify systems that are at risk. Because your system's safety is important to us, IT Services wants to keep you armed and ready against attacks. For your support, this guide provides an informational overview of NTP at UChicago, the current state of NTP attacks, how to spot weak systems, possible solutions, and resources for more information.
NTP is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver or modem. The existing NTP subnet consists of a multiply redundant hierarchy of servers and clients, with each level in the hierarchy identified by stratum number. Primary servers operate at stratum one and provide synchronization to secondary servers operating at stratum two and so on to higher strata. Each server listens on User Datagram Protocol (UDP) on port number 123, as per RFC 5905.
Details about available NTP servers at the University are available in this article Campus Network Time Protocol (NTP) Service.
In late 2013, there was a sharp increase in the number of attacks using Unix-like systems running default installations of the NTP service. The vast majority of systems only need NTP's client functionality. An example of this is the ability to contact a preconfigured list of trusted NTP servers to set the local system time.
By default, NTP now allows any remote system to query for NTP-related statistics. A small network query could potentially return a large network response. Since NTP uses UDP, it's possible to cheat the sending IP address. Attackers who want to launch a Denial of Service (DOS) attack send a small query to a vulnerable NTP server, forging the source IP address in the request. The NTP server sends a large response to the forged IP. Attackers can use multiple NTP servers to send a small amount of traffic that then creates a significantly larger amount of traffic that will be sent to someone else. This is known as an amplification distributed Denial of Service attack or NTP amplification attack.
Standard NTP command-line utilities provided with NTP can be used to identify whether a system is at risk (ntdpc and ntpq). These are the testing guidelines:
For example, to test from other-system run both of these commands, wait 30 seconds, and run them again:
other-system$ ntpdc -c monlist <hostname-or-ip-of-system-to-test>
other-system$ ntpq -c readvar <hostname-or-ip-of-system-to-test>
If you have any questions about interpreting the results you can consult the documents listed under More Information below, or contact IT Security.
There are two possible recommended solutions: reconfiguration and/or NTP upgrade. Reconfiguration is most likely the easiest and surest solution. These recommendations can be adapted to your specific needs. Consult your system man pages for ntp.conf or the links provided below for more information.
Recommended configuration for restrict default in /etc/ntp.conf should include:
# Default policy prevents queries
restrict default nopeer nomodify notrap noquery