State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

NTP and Its Implications on Cybersecurity

NJCCIC Alert

Original Release Date: 6/2/2020

Summary

Time synchronization is vital for managing, securing, debugging, and investigating security incidents; accurate timestamps on log files are necessary for alerting and forensic analysis. Additionally, time correlation is necessary for authentication systems, determining network usage, file system updates, diagnosing issues, implementing security rules, and more. Typically, time synchronization is achieved by implementing Network Time Protocol (NTP), which runs on UDP port 123. The NTP network of servers obtains its time from highly accurate atomic clocks or GPS clocks linked to time servers, and distributes this time across systems on a network. NTP is one of the internet’s oldest protocols and is not secure by default, leaving it susceptible to distributed denial-of-service (DDoS) and man-in-the-middle (MitM) attacks. NTP Amplification is a type of reflective DDoS attack in which an attacker targets publicly-accessible NTP servers and repeatedly sends requests to the server using a spoofed IP address in order to send the targeted system a large response from the NTP server. This can lead to a degradation of service due to the high demand on bandwidth, which may prevent legitimate users and systems from reaching and using network resources. For example, an NTP Amplification attack could prevent internet users from reaching an organization's websites and web resources. Additionally, NTP is vulnerable to MitM attacks. These attacks allow unauthorized users to intercept, read, and modify traffic sent between clients and servers. NTP is particularly susceptible to MitM attacks due to the reliance on a small set of servers and the algorithm used to choose a server with which to sync.

Recommendations

The NJCCIC recommends users and administrators implement security measures to reduce the risk of NTP Amplification and MitM attacks by keeping NTP servers up to date, closing port 123 to the internet, disabling the monlist command, implementing ingress filtering, rejecting requests from spoofed IP addresses, implementing firewall rules to restrict access to NTP servers, encrypting traffic to and from clients and servers, and increasing NTP server pools. The NJCCIC also encourages reviewing the NJCCIC post NTP: Time is of the Essence for more information on time synchronization and NTP. Additionally, review the guidance for properly configuring an NTP server for Windows and Linux.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.