• EN

How can I protect against time attacks when using NTP in an infrastructure?

  • 24 February 2023
  • 7 comments
  • 298 views
Viperian
Userlevel 6
Badge +6

Hello fellow community members, I am looking for some help. I am constructing a new blog around protecting against time attacks in an infrastructure and NTP is most often used. I would kindly ask anyone to add to this list or supply feedback what are the best ways to protecting NTP.

>>

Network Time Protocol (NTP) is a commonly used protocol for synchronizing the clocks of devices in a network infrastructure. However, NTP can be vulnerable to various types of time-based attacks, including NTP amplification attacks, NTP reflection attacks, and NTP replay attacks. Here are some ways to protect against these attacks when using NTP in an infrastructure:

  1. Use authentication: NTP can support authentication, which enables devices to verify the identity of the time source and ensure that the time information is coming from a trusted source. It is recommended to use authentication to protect against time-based attacks.
  2. Limit access: Restricting access to NTP services can reduce the risk of time-based attacks. This can be achieved by using firewalls to block unauthorized access to NTP services, limiting NTP traffic to trusted sources or networks, or using access control lists (ACLs) to restrict NTP traffic to authorized devices.
  3. Implement rate limiting: NTP amplification attacks can be prevented by implementing rate limiting on NTP traffic. Rate limiting can prevent an attacker from overwhelming the network with NTP traffic by limiting the number of requests that can be sent to the NTP server.
  4. Use the latest version: Ensure that you are using the latest version of NTP, as new versions may include security fixes and improvements. It is also important to keep the NTP server and other network devices up to date with the latest security patches.
  5. Monitor NTP traffic: Monitoring NTP traffic can help to detect and mitigate time-based attacks. Network monitoring tools can be used to identify unusual NTP traffic patterns or to detect NTP amplification or reflection attacks.

In summary, protecting against time-based attacks when using NTP in an infrastructure requires a combination of measures, including using authentication, limiting access, implementing rate limiting, using the latest version, and monitoring NTP traffic. By taking these steps, you can help to protect your network infrastructure from NTP-based attacks.

OCTO @ Veeam | Public Speaker | Cyber Security | vExpert '10-'24 | Blogger - vmguru.com | @Viperian

7 comments

D
Userlevel 6
Badge +4

Hello,

I use to ask my customer to disable it for Linux hardened repository and monitoring it and manually resync if necessary.

Viperian
Userlevel 6
Badge +6

@damien commenge  That can work for the hardened repository. Local generate time can be off a few secs to minutes but wouldnt break or expose security there. One question I do have though: does your customer have no compliance needs around time? For example: 

  • Compliance: Many regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS), require accurate time synchronization for compliance. Organizations that fail to comply with these regulations may face penalties and damage to their reputation.
OCTO @ Veeam | Public Speaker | Cyber Security | vExpert '10-'24 | Blogger - vmguru.com | @Viperian
marco_s
Userlevel 7
Badge +7

Indeed, it has never been given too much importance, at least on my part, but I am realizing more and more, even in light of WORM/immutability type data protection features, how critical it is beginning to be to think about and implement these strategies on the NTP service.. thanks for sharing!

Marco Sorrentino - Italy | System Engineer | VMCE & Veeam Lover
marcofabbri
Userlevel 7
Badge +13

Hi @Viperian, other than that, I’ll add:

That’s all. But the most important thing is the ACL list :)

Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it
Chris.Childerhose
Userlevel 7
Badge +20

Wow this is some great information.  Never realized that you need to look at security for NTP.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Iams3le
Userlevel 7
Badge +9

Hello @Viperian, I think you have covered this topic above and beyond and did not restrict your solution to a specific technology. Here I would like to discuss some scenarios :-)

  • Point 4 mitigates against attacks relating to NTP vulnerabilities (weakness). 

This scenario also prevent “Replay attack” which you have mentioned above. In my case, I will be a bit specific to an Active Directory Environment and this is also applicable to network appliances as time is one of the important settings in a domain.

Since it is vital for all clocks to be within 5 minutes by default due to the implementation of the Kerberos protocol for authentication. For time stamps to work properly, the clocks of the client and the Domain Controller need to be in sync as much as possible!


By default, Network Time Protocol (NTP) is the time synchronisation protocol used by the Windows Time Service (WTS) in Windows. All Domain Controllers (DC) should get their time from the DC holding the PDC Emulator FSMO role (time master), and this time should be accurate as possible. To maintain the accuracy, the root domain PDC emulator must be configured to synchronise its time with an external time source which is reliable

  • Therefore, all DC member server/workstations MUST synchronise time from their respective DCs as the correct time is needed from Kerberos authentication as mentioned in “Point 1” above to prevent a replay attack.

Recommendation! This behavior does not need to be reconfigured. However, if you want to ensure that the default behavior would not be overridden by someone on the client side, you can force a Group Policy to push the configuration.

 

Here are some Time Service Policy that should be adhered to in a domain environment

  • Disable Virtual Machine Time Sync from host (If enabled, guest machines will draw time from the physical host they are running on): https://kb.vmware.com/s/article/1189#:~:text=To%20disable%20periodic%20time%20synchronization,the%20checkbox%20Synchronize%20time%20periodically.
  • DHCP scope option should be used to push NTP server settings to a non-windows device
  • For devices that do not support NTP server, they must be statically. 
  • Since NTP can be used to manipulate logs by altering sequence of events, Point 2 should be strictly adhered to.
  • Lastly, poor NTP configuration should be avoided by all means. Recent DDOS attack on NTP was not as a result of security weakness (vulnerability), but due to some poor configuration.

This is not a comprehensive piece as it does not discuss all points, but does cover some vitals points. 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3*]
dips
Userlevel 7
Badge +7

Another option would be to setup an internal NTP server that is used by the local network/domain with it syncing externally once a day, for example. 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk

Comment


Terms & Conditions