Word Notes 10.13.20
Ep 19 | 10.13.20

Network Time Protocol (NTP) attack (noun)


Rick Howard: The word is NTP Attack.

Rick Howard: Spelled: N as in Network, T is in Time, and P as in Protocol.

Rick Howard: Definition: A reflection or amplification distributed denial-of-service attack in which hackers query Internet network time protocol servers, NTP servers for short, for the correct time, but spoof the destination address of their target victims.

Rick Howard: Example sentence: Hacktivists use network time protocol attacks to create an overwhelming distributed denial-of-service attack against their chosen victims.

Rick Howard: Context: According to Andrew Blum, in his excellent history of the Internet called "Tubes," published in 2012, "The moment of the Internet's first breath" happened in 1969 when the Stanford Research Institute and UCLA connected the first two computers over a phone line. Since then, the Internet began to exponentially grow. At some point in the growth period of the late 1970s, it became imperative that these now distributed computers across the globe, using satellite links and underwater fiber cables to communicate, stay synchronized in relation to time. If computers get out of time with each other, all kinds of problems start to arise, like incorrect backup schemes and incoherent system logs that hinder troubleshooting and security breach analysis. The solution that emerged was the network time protocol, or NTP, invented by David Mills, who rolled out the first version of it in 1984. It's since become important not only for technical reasons, but also to support compliance with laws like Sarbanes-Oxley and HIPAA, both of which require accurate time stamping. The way NTP works is through time-server strata. Stratum one servers connect directly to an authoritative time source like an atomic clock and are not publicly available. Only authorized stratum 2 servers can connect to them. Stratum 3 servers, connect to stratum 2 servers and so on, all the way down for a total of 256 strata. Clients that need the correct time query time server, most times multiple times servers, at regular intervals in order to stay synchronized. Network time protocol attacks take advantage of this service by using reflection or amplification techniques. Reflection attacks query NTP servers for the correct time, but spoof the requesters IP address. The NTP server sends the correct time not to the hackers computer, but to their intended victim. Amplification occurs when the hackers send large numbers of queries to one or more NTP servers in an attempt to overwhelm the intended victim's computer.

Rick Howard: Nerd reference: In a presentation given at the University of Delaware in 2005, David Mills, the inventor of NTP, describe the ecosystem that he helped create. Remember, this is from 2005. The NTP server ecosystem is surely much bigger now.

David Mills: "The NTP subnet has about 25 million servers today. Twenty five million. They're on every continent. At one time, I thought, as the old radio ham that I am for 50 years, I'd like to work in countries with NTP. And I was hoping to get to the point some years ago when the sun would never set on NTP and I got there. Now it never gets close to the horizon. It's all over. It's in Antarctica. It's in space. It's on Mars. It's everywhere. The beauty of that is ubiquitous. And if you monitor the NTP subnet, you can tell a great many things are going on. And, the NTP servers and clients will communicate with each other every few minutes, every 10 minutes or so, and they're always doing it. So we have a network sounding machine. I sound the network. NTP servers."

Rick Howard: Go back and listen to that clip again. There is at least one NTP server on Mars. How cool is that?