What time is it? If you looked at the lower right corner of your Windows PC screen, you know what time it is. That is good enough for most people, but followers of the Bach Seat want to know more. How does Microsoft know that time it is? Microsoft and everybody else uses Internet Engineering Task Force (IETF) RFC 7822 standard protocol called Network Time Protocol (NTP).
Network Time Protocol (NTP)
NTP is one of the oldest Internet protocols still in use. NTP was designed by UMich alum David Mills at the University of Delaware. NTP can maintain time to within tens of milliseconds over the public Internet, and better than one-millisecond accuracy on a LAN. Like many other things in the network world, NTP is set up as a hierarchy. At the top of the tree are “Atomic Clocks” (Stratum 0). Corporations, governments, and the military run atomic clocks.
Atomic clocks are high-precision timekeeping devices that use the element cesium, which has a frequency of 9,192,631,770 Hertz. That means it “oscillates” a little over nine billion times a second. Knowing the oscillation frequency and then measuring it in a device creates an incredibly accurate timekeeping mechanism. Atomic clocks generate a very accurate interrupt and timestamp on a connected Stratum 1 computer. Stratum 0 devices are also known as reference clocks. The other stratum levels are:
1 – These are computers attached to stratum 0 devices. Stratum 1 servers are also called “primary time-servers”.
2 – These are computers that synchronize over a network with stratum 1 servers. Stratum 2 computers may also peer with other stratum 2 computers to offer more stable and robust time for all devices in the peer group.
3 computers synchronize with stratum 2 servers. They use the same rules as stratum 2, and can themselves act as servers for stratum 4 computers, and so on.
Once synchronized, with a stratum 1, 2, or 3 server, the client updates the clock about once every 10 minutes, usually requiring only a single message exchange. The NTP process uses User Datagram Protocol port 123. The NTP timestamp message is 64-bits and consists of a 32-bit part for seconds and a 32-bit part for the fractional second. 64-bits gives NTP a time scale of 232 seconds (136 years) and a theoretical resolution of 232 seconds (233 picoseconds). NTP uses an epoch of January 1, 1900, so the first rollover will be on February 7, 2036.
Microsoft Windows Time Service
Microsoft (MSFT) has a mixed history of complying with NTP. All Microsoft Windows versions since Windows 2000 include the Windows Time service (“W32Time”) which was originally implemented to support the Kerberos version 5 authentication protocol. It required time to be within 5 minutes of the correct value to prevent replay attacks. The NTP version in Windows 2000 and XP violates several aspects of the NTP standard. Beginning with Windows Server 2003 and Vista, MSFT’s NTP was reliable to 2 seconds. Windows Server 2016 can now support 1ms time accuracy.
In 2014 a new NTP client, ntimed, was started. As of May 2017, no official release was done yet, but ntimed can synchronize clocks reliably under Debian and FreeBSD, but has not been ported to Windows or Apple (AAPL) macOS.
Accurate time across a network is important for many reasons; discrepancies of even fractions of a second can cause problems. For example:
- Distributed procedures depend on coordinated times to make sure proper sequences are followed.
- Authentication protocols and other security mechanisms depend on consistent timekeeping across the network.
- File-system updates carried out by a number of computers depend on synchronized clock times.
- Network acceleration and network management systems also rely on the accuracy of timestamps to measure performance and troubleshoot problems.
- Each individual blockchain includes a timestamp representing the approximate time the block was created.
NTP vulnerabilities
NTP has known vulnerabilities. The protocol can be exploited and used in distributed denial of service (DDoS) attacks for two reasons: First, it will reply to a packet with a spoofed source IP address; second, at least one of its built-in commands will send a long reply to a short request.
More vulnerabilities were recently discovered in NTP. SearchSecurity.com reports that security researcher Magnus Stubman discovered the vulnerability and, instead of going public, took the mature route and privately informed the community of his findings. Mr. Stubman wrote that the vulnerability he discovered could allow unauthenticated users to crash NTPF with a single malformed UDP packet, which will cause a null point dereference. The article explains this means that an attacker could be able to craft a special UDP packet that targets NTP, resulting in an exception bypass that can crash the process. A patch to remediate specific vulnerability — named NTP 4.2.8p9 — was released by the Network Time Foundation Project.
This is a Windows-only vulnerability at this time. The author urges anyone running the NTP daemon on a Windows system to patch it as soon as possible. This particular DoS attack against NTP could incapacitate a time-server and cause havoc in the network. The easiest fix is to apply the NTP patch the article states.
rb-
NTP is important to your network and patching and protecting it should be a priority. The threat to your environment is real. If NTP is not patched, an attacker could take advantage of the chaos created by this vulnerability to hide their tracks since timestamps on files and in logs won’t match.
Way back in the day, when I was a network administrator, I inherited a network where a directory services container was frozen. Seems that time had never been properly set up on the server holding the replica and as time passed, the server time drifted away from network time and at some point, we could not make changes or force a replica update. That meant a late-night call to professional services to kill the locked objects and then apply DSRepair –xkz (I think) and then re-install a R/O replica.
Related articles
- A ‘leap second’ will make 2016 a little longer (businessinsider.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.