3.7 The Network Time Protocol
The Network Time Protocol (NTP) [Mills, 1992] is a valuable adjunct to gateway machines. As its name implies, it is used to synchronize a machine's clock with the outside world. It is not a voting protocol; rather, NTP supports the notion of absolute correct time, as disclosed to the network by machines with atomic clocks or radio clocks tuned to national time synchronization services. Each machine talks to one or more neighbors; the machines organize themselves into a directed graph, depending on their distance from an authoritative time source. Comparisons among multiple sources of time information enable NTP servers to discard erroneous inputs; this provides a high degree of protection against deliberate subversion as well.
The Global Positioning System (GPS) receivers can supply very cheap and accurate time information to a master host running ntp. Sites concerned with security should have a source of accurate time. Of course, the satellite signals don't penetrate well to most machine rooms, which creates wiring issues.
Knowing the correct time enables you to match log files from different machines. The timekeeping ability of NTP is so good (generally to within an accuracy of 10 ms or better) that one can easily use it to determine the relative timings of probes to different machines, even when they occur nearly simultaneously. Such information can be very useful in understanding the attacker's technology. An additional use for accurate timestamps is in cryptographic protocols; certain vulnerabilities can be reduced if one can rely on tightly synchronized clocks.
Log files based on the NTP data can also provide clues to actual penetrations. Hackers are fond of replacing various system commands and changing the per-file timestamps to remove evidence of their activities. On UNIX systems, though, one of the timestampsthe "i-node changed" fieldcannot be changed explicitly; rather, it reflects the system clock as of when any other changes are made to the file. To reset the field, hackers can and do temporarily change the system clock to match. But fluctuations are quite distressing to NTP servers, which think that they are the only ones playing with the time of day; and when they are upset in this fashion, they tend to mutter complaints to the log file.
NTP itself can be the target of various attacks [Bishop, 1990]. In general, the point of such an attack is to change the target's idea of the correct time. Consider, for example, a time-based authentication device or protocol. If you can reset a machine's clock to an earlier value, you can replay an old authentication string.
To defend against such attacks, newer versions of NTP provide for cryptographic authentication of messages. Although a useful feature, it is somewhat less valuable than it might seem, because the authentication is done on a hop-by-hop basis. An attacker who cannot speak directly to your NTP daemon may nevertheless confuse your clock by attacking the servers from which your daemon learns of the correct time. In other words, to be secure, you should verify that your time sources also have authenticated connections to their sources, and so on, up to the root. (Defending against low-powered transmitters that might confuse a radio clock is beyond the scope of this book.) You should also configure your NTP daemon to ignore trace requests from outsiders; you don't want to give away information on other tempting targets.