Network Time Protocol - Coursework Example

NETWORK TIME PROTOCOL Network Time Protocol Introduction and functioning of NTP Network Time Protocol (NTP) refers to a protocol that is used in synchronization of computer clock time in network of computers. NTP makes use of Coordinated Universal Time (UTC) for the purpose of synchronization of computer clock times in either milliseconds or a fraction of milliseconds. In order to obtain UTC several methods can be used including satellite and radio systems. For high level, services such as Global Positioning Systems specialized receivers are always used. However, it is highly uneconomical and impractical for every computer in a network to be fitted with these receivers. Therefore, computers known as primary timeservers are always outfitted with the receivers then use protocols such as NTP to carry out the synchronization of clock times of computers that are connected to a network. The level of separation from the source of UTC is known as strata. Such protocol can have stratum-0, stratum-1, stratum-2, and so on. Stratum-0 refers to the radio clock that receives the true time from a satellite navigation system or dedicated transmitter. Stratum-1 is the computer that has direct connection to the radio clock, while stratum-2 is a computer that receives its time from stratum-1. This paper aims at discussing, with close attention to its workings; its past and present vulnerabilities, the impact of known exploits for the vulnerability and provides an opinion of the longevity of the aforementioned exploits. History Network time synchronization technology was first used in the year 1979 during the first public demonstration of internet services that were supposed to run over a transatlantic satellite network. In the year 1981 this technology was referred to as Internet Engineering Note. As a result a public protocol had to be developed. The other tools that were available at that time included time and daytime protocols that were used for recording events. In the year 1988, the implementation of NTPv0 took place in both UNIX and Fuzball (Mills, 2003). RFC 1119 was published in the year 1989 leading to the definition of NTPv2 with a pseudocode that described its operation. RFC 1305 defined NTPv3 in 1992. In the subsequent years, there were addition of new features and improvement of the algorithms leading to the publication of RFC 5905 in 2010. RFC 5905 had the specifications for NTPv4. Vulnerabilities There have been a number of security concerns regarding the use of NTP. There is much vulnerability that observed in NTP implementations even before the introduction of version 4.2.8. Unauthorised persons can be able to play with NTP using big response packets. A good example of the most recently used big response package is DDoS amplification attack. As a result of such interference there is disruption of crucial services that are time dependent. The use of NTP within Industrial Control Systems deployments is something that is commonly known. However, it should also be noted that some of these systems are engaged in a number of critical operations. The implementation of NTP has been discovered to allow the transfer of unauthenticated packets that have symmetric key cryptography. At the same time, there is no any kind of protection that is given systematic associations to prevent them against denial serve attack. As a result of this shortcoming, unauthorised users with access the network can be able to inject insecure packets into the network. Unauthorised individuals can also be able to prevent symmetrically authenticated hosts from getting peer synchronization. CVE-2015-1798 mitigates a vulnerability that is commonly involved in NTP4 fixing. According to (Gayraud & Lourdelet (2010), this mitigation makes use of ntp-4.2.5p99 to ntp-4.2.8p1 version of the symmetric key authentication. In his publication, Mills (2003) denote that such a case leads to a scenario whereby packets that do not have MAC can be used just as if they had MAC. This gives attackers the freedom of leveraging the validation error, thus sending packages that are acceptable by clients. When NTP is configured to allow the use of a symmetric key with an NTP peer or server, it is supposed to check if the NTPD message authentication code in any packet that is received is valid. However, the shortcoming arises from the fact that the NTPD does not check if there is inclusion of a MAC (Mills, 2006). Therefore, this shortcoming leads to a scenario where packets without MAC are accepted just as if they had MAC. This leads to the possibility of MITM attackers to send false packets to unsuspecting clients and peers. There is another vulnerability of NTP that relates to mitigation of a flaw in installations utilizing symmetric key authentication. This can result in a situation whereby peering hosts who receive with transmit and originate timestamps are not matching. This leads to a scenario where attackers are able to send packets to both hosts with the aim of making sure that there is no synchronization taking place. Despite the fact that NTP authentication is supposed to be protecting clients from such attacks, this has not always been the case. The state variables are supposed to be updated even during occasions when authentication fails. This is a kind of vulnerability that is not new for NTP (Gayraud & Lourdelet, 2010). This is because it has been observed in NTPv4 (RFC 5905) and NTPv3 (RFC 1305). This can be an implication that NTP implementation that supports systematic association might be facing the same vulnerability. The implementation of NTP is also vulnerable to a bogus attack. This is a kind of attack whereby an attacker to manufacture a packet that can be acceptable to the clients or servers. On reception of these bogus packets, clients and servers usually treat them like they were the actual packets. There is also a common type of attack that known as the wiretap attack. This is a type of attack whereby the attacker copies server and client packets, enabling them to principally archive them forever. There is also the replay attack whereby he attacker replays one or more of the copied packets (Convery, 2004). Such kind of scenarios leads to two types of duplicates namely: a duplicate and an old duplicate. An old duplicate is a replay of a packet that is not recent while a duplicate is the replaying of recently transmitted packets. Apart from some of the most commonly known attacks, there are some attacks on NTP that are commonly referred to as passive attacks. In the transmission process packets can be lost as a result of queue overflows, collisions, and bit errors which can result to checksum failure. Because of the characteristics of the mitigation algorithms that are defined in the NTPv4 specification, a moderate rate of losing packets is not of any effect on the performance of other algorithms. However, there are some cases where losing packets might lead to protocol restart. This will result to a scenario whereby there are delays with the affected algorithms. NTP is also vulnerable to middleman attacks. In a middleman attack, an attacker can be able to intercept a server or client packet given them the ability to prevent their onward transmissions. At this point, the middleman can fabricate misleading or bogus packets that are easily accepted by the server or clients. However, in such cases an attacker can also attempt to launch a cut-and-paste attack with the main purpose of subtitling bogus or old information in an Autokey extension field. However, all the attacks that have been discussed herein cannot be as catastrophic as a masquerade attack. A Masquerade attack takes place when an attacker successfully assumes the identity of a server. A masquerade attack is possible through bogus DNS server or compromised routers. Reduction of vulnerability and mitigation In order to understand the ways through which the security threats of NTP can be reduced, it is of importance for someone to understand the security model of NTP. The security model of NTP has a hierarchical structure. The deferenceagainstattackers begins from the bottom layer, which is the On-wire protocol layer. In any case, there is any attack on any layer the defence usually comes from the upper layer. In this layer the transmit timestamp in the NTP packet is always used as a nonce for duplicate and bogus detections in a loopback test. For the purpose of this detection a random fuzz should be in the non-significant bits present in the 64-bit transmits timestamp. Due to the unpredictability of the transmission and the uniqueness of every transmit timestamp makes it easy for detection of any attack (Estrela et al., 2014). Detection take place if a transmit timestamphappens to match the transmit timestamp of a previous packet. A rogue or compromised server or router can be able to modify all the other fields of a packet apart dorm the transmit timestamp field. The message digest layer uses symmetric key cryptography for the computation of message digest to prevent the incorrect classification of packets or deliveries in wrong time (Northcutt& Novak, 2002). The security of the massage digest layer is highly dependent on the message digest key. The message digest key is always loaded by the reference implementation whenever the program is started. Given the fact that the message digest key can only be shared between intended clients and servers, this layer can be protected from some of the threats that have been discussed herein. It also protects the level from middleman attack or masquerade. The Autokey sequence layer is responsible for the authentication of NTP packets using digital signatures and public key cryptography. However, it should be noted that public key algorithms tend to have highly valuable and long exaction, making it impossible for them to be used in every packet. The digitally signed packets are occasionally used and the other packets are attached to them through the use of pseudo-random sequence and fast hash techniques. The Autokey protocol layer is responsible for the retrieval and updating of cryptographic media such as identity keys and certificates. The cryptographic media are categorized into public/private key pairs and private values. Public/private key pairs have sign keys, identity keys, and host keys. Host keys are important for the encryption of client cookie. Sign keys are responsible for verification of signatures on extended fields on certificates (McNab, 2008). In any case, a sign key has to be changed then regeneration of all the certificates that depend on them will be inevitable. Identity keys are usually important in keeping away middleman masquerade attacks. For each cryptographic media type there is always a timestamp to defend them from replay attacks. NTP can also be secured using the packet sanity tests, which are responsible for the detection of packets that have invalid packet header values or format. There are various mitigation techniques that have always been used in the reduction of vulnerability of NTP apart from those that have been discussed above. The most reliable mitigation techniques have been observed to have the ability of filtering and dropping packets depending on their validity. Some of these techniques even go as far as checking the IP address of the packets, one common mitigation technique that is used by many people I knows as “triple A” or “AAA” the three As stand for Authentication, Authorization, and Accounting. This technique involves the three services that can be used in enhancing network security (Cole, 2013). Authentication refers to the process of identifying a user by login or password. This is a way through which any access to a network can be verified to be from a viable user. This process helps in reducing the rate at which there is unauthorised access to NTP. Authorization refers to the process of determining what a user is allowed to do and those things that they are not allowed to do. This is specifically meant to make sure that even viable users do not cross their boundaries. Accounting involves the process of assembling and sending usage information. This technique works together with RADIUS or TACACS in provision of network security with user activity records. However, with the increase in the use of the internet and advancement in technology, this technique has been observed to be incapable of completely curbing vulnerabilities in NTP. Cisco ACLs refers to a list of denies and permits statements that are applicable on cisco devices in determination of whether a packet should be allowed to access the network. This technique has proved to be reliable in blocking of IP spoofing, Smurf attacks, TCP SYN attacks, and ICMP and traceroute (AlfraihAbdulaziz Nasser & Chen, 2014). Cisco IOS Secure Management Features can also be used for the purpose of enhancing NTP security.Cisco IOS Secure Management has proved to be effective in protecting networks inSecure Shell (SSH), Simple Network Management Protocol (SNMP), Syslog, and Network Time Protocol (NTP) Intrusion Prevention System (IPS) can also be useful in mitigating security issues that are involved in the implementation of NTP. IPS refers to an active device that has the ability of being in line with the traffic path in a network. It is responsible for the identification of attacks in the traffic. At any sacksful identification of an attack, it works with the firewall in modification of rule templates thus allowing blocking of attackers’ address when the attack is still in progress. Another device that can be used to enhance security of NTP implementation is Intrusion Detection System (IDS). IDS are not always necessarily in line with the network’s traffic path. It listens for any attack on the network traffic, then issues alerts and issue TCP resets whenever necessary. References AlfraihAbdulaziz Nasser, A., & Chen, W. B. (2014).NTP DRDoS Attack Vulnerability and Mitigation.In Applied Mechanics and Materials (Vol. 644, pp. 2875-2880). Cole, E. (2013). Network security bible. Hoboken, N.J: Wiley. Convery, S. (2004).Network security architectures: [expert guidance on designing secure networks]. Indianapolis, Ind: Cisco Press. Estrela, P. V., Neusüß, S., AG, D. B., Owczarek, W., & Euronext, N. Y. S. E. (2014). Using a multi-source NTP watchdog to increase the robustness of PTPv2 in Financial Industry networks. In Precision Clock Synchronization for Measurement, Control, and Communication (ISPCS), 2014 IEEE International Symposium on (pp. 87-92). IEEE. Gayraud, R., &Lourdelet, B. (2010).Network Time Protocol (NTP) Server Option for DHCPv6. Network. McNab, C. (2008). Network security assessment. Beijing: OReilly Media, Inc. Mills, D. L. (2003). A brief history of NTP time: Memoirs of an Internet timekeeper. ACM SIGCOMM Computer Communication Review, 33(2), 9-21. Mills, D. L. (2006).Simple network time protocol (SNTP) version 4 for IPv4, IPv6 and OSI. Northcutt, S., & Novak, J. (2002).Network intrusion detection. Indianapolis, Ind: New Riders. Röttger, S., Adamek, J., &Milius, S. (2012). Analysis of the NTP Autokey Procedures. Read More