NTP BUG 2901: Clients that receive a KoD should validate the origin timestamp field
Last update: June 28, 2022 20:06 UTC (57417e17c)
Summary
Description
An ntpd client that honors Kiss-of-Death responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target’s time source by sending the target a time query.
Mitigation
- Implement BCP-38.
- Upgrade to 4.2.8p4 or later.
- If you cannot upgrade, restrict who can query
ntpd to learn who its servers are, and what IPs are allowed to ask your system for the time. This mitigation is heavy-handed.
- Monitor your
ntpd instances.
NOTE: 4.2.8p4 protects against the first attack. For the second attack, all we can do is warn when it is happening, which we do in 4.2.8p4.
Credit
This weakness was discovered by Aanchal Malhotra, Issac E. Cohen, and Sharon Goldberg of Boston University.
Timeline