How to Protect Your NTP Server from Cyberattacks

​Network experts already know that distributing the correct time is key to maintaining their critical infrastructure programs. However, keeping accurate time is also fundamental to many cybersecurity applications. Certificates have an expiration date attached to them, and system logs frequently contain time stamps that operators rely on for diagnosing issues.

​Over the last few years, there has been significant research into ways that the NTP protocol (specified in RFC 5905) can be secured from malicious attackers. Attackers can target an NTP server and, after gaining access, alter the time that is being served. But attackers who have access to a network can also monitor NTP traffic, find out the credentials (such as IP address) of a good server and attempt to mislead NTP clients by forging packets from that server with bad time values.

​These common spoofing attacks can result in inaccurate time. And if you use time sources from outside your organization that rely on networks that are not under your control – such as internet time – it’s even more important to ensure that you have accurate, consistent time on your server. Although there are steps that your ISP can take to prevent this type of spoofing, it is always better to take preventive actions wherever you can.

​The Internet Engineering Task Force (IETF) has released RFC 8633, “Network Time Protocol Best Current Practices”, that includes several new security best practices. Among other things, it includes a discussion of how to mitigate against these types of cyberattacks. A few of these Best Practices are summarized here:

1. ​Use Multiple NTP Servers – The easiest thing for a network operator to do is simply configure their clients to use multiple NTP servers on the network.

This NTP configuration can process multiple time sources at the same time and discard one if it disagrees with the rest. This makes an attacker’s job harder, because they will need to attack the NTP traffic from a majority of the servers to impact the NTP clients.

2. Monitor Servers From The Client’s Perspective – Another Best Practice is to have NTP client nodes devoted to monitoring the health of the NTP servers on the network. Monitoring an NTP server directly is important, but it will only tell you if there is a problem with that particular server. If you monitor it from the client side, you can look at the time transfer process from the client’s perspective and see whether there is anything suspicious happening after the packets leave the server.

3. Use NTP Encryption Options – The NTP peering packets (as well as the mode 6 “ntpq”-style queries) contain sensitive information that can be used in an attack. When using these services, operators are advised to either use NTP encryption options (such as symmetric keys) or use other means (such as access control lists) to control who can access these NTP queries. This will prevent this information from leaking out to unauthorized parties who could use them in a cyberattack.

4. Monitor Restarts – NTP clients do a good job at detecting and ignoring packets that indicate a large time shift. RFC 5905 calls this a panic threshold, which is set by default to 1000 s. However, the RFC also states that the NTP client should quit when it sees a large time shift like this.

The problem with this is that most modern operating systems will restart a vital service like NTP when it quits after a significant time shift. When the NTP daemon restarts, it may be configured to ignore this threshold. This means that an attacker who takes over an active NTP server might force clients to move to the wrong time simply by sending the wrong time consistently enough that clients will restart the system.

​Some steps that can be taken to mitigate this:

  • Actively monitor system logs. Several NTP clients restarting at the same time may be an indication that a server is not being honest.
  • Configure your NTP clients to ignore the panic threshold on restart. This may result in those clients not using the NTP service at all in the event of an attack, but at least they won’t use the wrong time.
  • If you’re already using multiple NTP servers, increase the minimum number of servers required before the NTP clients adjust the clocks.
  • These practices can be used by all NTP users in order to mitigate attacks on the service and ensure that their networks always have the correct time.

Thank you to Denis Reilly, of Orolia, for the article.

Ixia – Exposing Hidden Security Threats and Network Attacks

How do you ensure maximum service availability while protecting and securing your enterprise? IT departments have been wrestling with this problem for years. Virtualization and mobility are expanding the traditional network boundary, which means data and assets no longer sit in a single location behind a firewall.

Network security monitoring involves processing and examining all the traffic entering and leaving this expanding perimeter. Hackers and the tools they use to infiltrate network and exfiltrate company secrets are more sophisticated than ever.

​Click on the picture above to learn the following:

  • ​The digital warfare attackers are waging such as malware, phishing, and advanced persistent threats
  • The IT trends affecting traditional enterprise security techniques
  • The challenges of securing enterprise networks with inline and out-of-band monitoring tools
  • How to integrate inline and out-of-band security tools to maximize their capabilities and fend off threats
  • The four elements of Ixia’s Security Architecture and how they ensure resilient delivery of relevant traffic to enterprise security, compliance, and analytics tools

Thank you to Ixia, a Keysight Business, for the article.

Orolia Case Study – Banking on BroadShield

​Why This Case Study is Relevant

It demonstrates the importance of installing anti-jam and anti-spoofing software.

Background 

​A major international financial services provider was experiencing issues in their lab environment with its GNSS-based timing systems. GNSS reception was being intermittently lost and the customer didn’t know why. Rather than using a stronger, interference-resistant signal like STL from Orolia, the customer was using a competitor’s traditional GPS-based antenna, which was experiencing trouble from an unknown source of RF interference.

Solution 

​Orolia installed BroadShield, our powerful anti-jam and anti-spoof software, into the customer’s SecureSync time server. BroadShield immediately took mitigating action by identifying the potential GPS/GNSS signal interference. The customer had been uncertain whether they would ever see BroadShield in action, but thought it was a prudent investment given the critical role of GPS based timing in the infrastructure they were rolling out. After all, accurate time is a major part of Financial regulations. This incident proved that BroadShield worked as described by protecting the fidelity of their network and ensuring ongoing compliance with regulations.

Result 

​The customer was so pleased that they mandated that all of their stratum 1 time servers, and even a few stratum 2 units, would include anti-jam antennas and BroadShield as their standard configuration.

 Thank you to Jeremy Onyan, of Orolia, for the article.

Webinar – Orolia GPS/GNSS Spoofing & Jamming: Threats and Countermeasures

When: Thursday, September 12, 2019 

​At: 1:00 pm Eastern Daylight Time

Join John Fischer, Omer Sharar, and John Pottle as they describe common threats rot GPS/GNSS signals as well as solutions to detect and mitigate interference such as jamming and spoofing for critical systems.

You’ll hear from industry experts who will present commercial and defense perspectives on topics including:• The reality of GPS/GNSS spoofing and jamming worldwide
• Protecting and enabling critical operations
• Ensuring continuous operations, even in GNSS denied environments
• How each panelist’s organization is addressing this issue

To register, just click on the Register Here button. Audience members may                                                                   arrive 15 minutes in advance of presentation time. 

Thank you to Orolia for the presentation. 

iBypass and Thoughts in a Traffic Jam

​Each of us has sat in standstill traffic, trying to understand why this major highway we drive all the time has suddenly backed up, with our phone maps application showing a line of red for the next mile or two. As we crawl towards the bottleneck, we see it: A fender bender with dented cars still blocking a lane of traffic. We see police on the scene, and it looks like they’re waiting for a tow truck to arrive to get the vehicles off the road. With plenty of time to think as we wait with hundreds of others to get through the log-jam, we ask ourselves: How much is this accident costing all the people around me in terms of 1) time 2) lost productivity 3) wasted fuel, etc?

​A network running 100G of traffic can be very similar to the commuter’s headache described above. Security tools are a given in today’s big networks, but when there’s an ‘accident’ (tool outage), the costs of a slow response to clearing the ‘highway’ can be enormous. Ixia’s new iBypass 100G is the best way to ensure that tool outages, which are inevitable in high traffic environments, don’t slow down any network traffic. The iBypass 100G has up to two modules (either single-mode or multi-mode) which feature configurable heartbeat detection to allow constant monitoring of the attached tools, so that the second a problem is detected, traffic can be diverted from the tools so that it flows without interruption until the outage is resolved.

​Speaking of traffic nightmares, we sometimes find ourselves cursing at city planners who have seemingly scheduled a road repair during rush hour, when it could have been done at 3am on a Sunday morning with much less impact on the 8am meeting we are now going to miss. Ixia’s iBypass 100G is designed so that its easy to schedule tool maintenance and take advantage of our forced bypass mode to divert traffic while tool maintenance or upgrades are performed during off hours.

​If you could guarantee a smooth commute on a highway where accidents were cleared within seconds of happening, where road maintenance was never scheduled during the hours you drive to work, and where there were always enough lanes to accommodate the busiest times of day, wouldn’t you choose that over the alternative? We agree. Choose Ixia’s new iBypass 100G for all your network packet “commuters”.

Thank you to Todd Puner, Product Manager with Ixia, a Keysight Business, for the article.