The Network Time Protocol (NTP) has been seeing quite a bit of publicity this year, starting with the NTP Leap Second Bug in June promising—but greatly under delivering—digital calamity of Y2K proportions. Ultimately, the fallout resulted in little more than sporadic Twitter interruptions, but last week newly discovered critical vulnerabilities in the timeworn clock synchronization protocol have increased the urgency of recent NTP-hardening projects like NTPSec.
As one of the oldest protocols currently in use, NTP has served as a trusty synchronization mechanism for connected nodes since the dawn of the internet. At the most basic level, the protocol enables the automatic synchronization of local system clocks—a client requests the current time from a server and uses the response to set its own clock. Alternatively, NTP synchronization can work in a peer-to-peer model, but the net result in both cases is the same: synchronization of local time within a few milliseconds of Coordinated Universal Time (UTC).
Despite the passing of three decades since NTP's first implementation, efforts to harden the aged protocol for withstanding today's cyber threats have not kicked into full gear until recently. Which is alarming, considering how critical the element of time is to virtually all internet transactions and system communications. This is about to change, however—Boston University security researchers published this paper last week describing NTP exploits that could ultimately wreak havoc on the internet, allowing attackers to bypass HTTPS, defeat BitCoin security, alter DNS records, and a host of other nefarious activities. Projects like NTPSec are currently underway to give NTP a security booster shot by simplifying the protocol's codebase and hardening it to withstand today's cyber attacks.
Attacking various applications with NTP. Source: "Attacking the Network Time Protocol," Boston University.
The project's goal is to make NTP a safer protocol by updating the codebase to meet the security standards of today. NTPSec is essentially a massive NTP cleanup and hardening effort to make the protocol more secure and resilient through community-based testing, contributions, and maintenance. Unfortunately the project has yet to officially released its codebase, so the secure implementation of NTP is still somewhere on the horizon.
So what can be done the interim? Updating NTP clients and servers to the latest version (currently at 4.2.8p4) is the safest bet. Fortunately, UpGuard can scan your whole IT environment for NTP vulnerabilities with a couple mouse clicks. It's free for the first 10 nodes, so give it a test drive on us.