Network time protocol servers tell other computers what time it is and help keep the Internet in sync. But if your NTP server isn’t properly secured, it can be hijacked into joining distributed denial of service attacks and knocking other machines offline.
Earlier this month, major video gaming servers including Steam, Battle.net, and EA.com were struck by distributed denial of service attacks. Reportedly, the attackers used a vulnerability in unpatched NTP software to blast these machines with a overwhelming volume of irrelevant data from time servers across the Internet. That type of attack has seen a “significant spike” since December, according to security firm Symantec.
Ordinarily, NTP client software that ships with most major operating systems simply connects to NTP servers to ask the current time. But older servers also allow clients to request a log of the server’s 600 most recent time interactions, explained a blog post by CDN provider CloudFlare’s John Graham-Cumming.
The request is just a few characters long, but the log can be multiple megabytes, so instead of just hitting a victim computer with data from their own computers or bots they control, attackers forge the victim’s IP address on log requests to NTP servers across the Internet. Security researchers call that an amplification attack, since the small amount of bandwidth used by the attackers to send the short requests is amplified by the servers dutifully sending the complete logs to the unsuspecting victim.
To avoid being exploited in such an attack, NTP server owners running the Network Time Foundation’s standard NTP implementation need to upgrade to at least NTP version 4.2.7p26, which disables the log request command, called monlist, wrote Graham-Cumming.
“Neither of these changes are recent,” he wrote. “Ntpd v4.2.7p26 was released in March 24, 2010, so upgrading doesn’t require using bleeding edge code.”
Allowing anyone access to the NTP connection logs can be potentially risky anyway, since it allows information to leak about connections from nonpublic computers connected to the server, according to the author of a plugin that lets the security tool nmap detect this vulnerability.
In his blog post, Graham-Cumming advised NTP server owners to read security research group Team Cymru’s guide to securing time servers.