Cryptology ePrint Archive: Report 2016/055

Attacking NTP's Authenticated Broadcast Mode

Aanchal Malhotra and Sharon Goldberg

Abstract: We identify two attacks on the Network Time Protocol (NTP)'s cryptographically-authenticated broadcast mode. First, we present a replay attack that allows an on-path attacker to indefinitely stick a broadcast client to a specific time. Second, we present a denial-of-service (DoS) attack that allows an off-path attacker to prevent a broadcast client from ever updating its system clock; to do this, the attacker sends the client a single malformed broadcast packet per query interval. Our DoS attack also applies to all other NTP modes that are `ephemeral' or `preemptable' (including manycast, pool, etc). We then use network measurements to give evidence that NTP's broadcast and other ephemeral/preemptable modes are being used in the wild. We conclude by discussing why NTP's current implementation of symmetric-key cryptographic authentication does not provide security in broadcast mode, and make some recommendations to improve the current state of affairs.

Category / Keywords: applications / network security, network time protocol, NTP, broadcast, off-path attacks, denial of service

Original Publication (in the same form): ACM SIGCOMM Computer Communication Review. April 2016

Date: received 23 Jan 2016, last revised 26 Feb 2016

Contact author: goldbe at cs bu edu

Available format(s): PDF | BibTeX Citation

Note: Revised per comments of SIGCOMM CCR reviewers.

Version: 20160226:164140 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]