The Vulnerability Research On NTP With Authentication Mechanism

NTP(Network Time Protocol)is used to synchronize host time over the Internet.The design of NTP considers extremely about the complexity of synchronize time on the Internet.NTP uses the GPS time message as the reference standard,and client|server hierarchical structure,with a very high flexibility,can adapt to a variety of Internet environments.NTP not only corrects the current time,but also keeps track of changes in time.It can automatically adjust time,and maintains the stability of time even if the network crashes.NTP generates very little network overhead,has a corresponding strategy to ensure network security.The strategy makes NTP get reliable and accurate time synchronization and to be a recognized time synchronization tool on the Internet.The NTP client uses four timestamps in the time synchronization packet received from NTP server,to calculate the time difference between localhost and its NTP server,then adjusts the local clock to achieve the purpose of synchronizing to the server.The encryption authentication mechanism of NTP includes symmetric and asymmetric,the former uses the symmetric key to encrypt and decrypt,the latter uses public key to encrypt and private key to decrypt.The use of authentication mechanism greatly improves the security of the NTP protocol.This thesis studies the vulnerability of NTP in two kinds of network environments: local area network and wide area network,based on symmetric encryption authentication and asymmetric encryption authentication of NTP.The research result shows that,NTP has loopholes remains in three processes vulnerablely being used to attacking NTP protocol,there are time synchronization algorithm,encryption authentication process and the process of NTP server monitoring the behavior of its clients.The time synchronization algorithm considers that the difference between the round trip transmission delay of the message is negligible,which may be caused by the man-in-the-middle attack to cause the unidirectional transmission delay to be large,so that the time difference calculated by the synchronization algorithm is not correct.For symmetric encryption authentication,the server sends the key file to all its clients,making it easier for a client to fake as a server to provide wrong time to other clients.For asymmetric encryption authentication,the Server_seed value required for the calculation of the cookie is not dynamically updated in the latest resource code,making it easier for an attacker to fake as a server which can through client's certification.The server does not keep any information from the client,while a large number of cookie requests arrive,it would consume a lot of computing resources of NTP server,causing the NTP process to crash.We use ARP spoof to complete attack experiment in the LAN environment,implement delay attack,forged Server attack and DDoS attack.The experiment results show that,the NTP delay attack under symmetric encryption can achieve the client's time offset below 4s,and under the asymmetric encryption it can achieve the client's time offset below 1s.The forged server attack causes the being attacked server's dependent clients can not be synchronized to the right time.DDoS attack only for the NTP with asymmetric encryption authentication mechanism,it can reach more than 75% probabilities of causing the NTP Server being paralyzed.Futher research in the IP Network environment uses domain name hijack to implement the three attacks mentioned above.The results show that it can achieve the same effect as in the LAN environment except for the asymmetric encryption delay attack.