NTP Vandalism: Solutions to the Misuse and Abuse of NTP Servers

NTP servers, like most systems are open to abuse and misuse. NTP servers can be flooded with traffic (a distributed denial of service - DDoS attack), the server's access policy could be violated or the NTP rules of engagement drawn up to prevent misuse of time servers could be breached.The abuse of NTP servers has received much attention of late due primarily to the case of D-link and a Danish Stratum 1 NTP server run by Poul-Henning Kamp. Mr Kamp noticed a huge rise in traffic to his time server, which at the time was the only Danish stratum 1 server available to the general public.He discovered that up to 90 percent of the traffic was coming from D-Link router products that were latching on to his stratum 1 server for a time reference.Normally only stratum 2 servers should connect to stratum 1 server and perhaps some servers where applications require more precision than that of a normal computer network, which can receive its time code via a multitude of sources.In many countries, timekeeping services are provided by a government agency (such as NPL in the UK or NIST in the US). As there is no Danish equivalent, Kamp provided his time service to the general public in return his ISP agreed to provide a free connection the assumption that the bandwidth involved would be relatively low. With the increased traffic caused by the D-Link routers, his ISP then requested Kamp pay for the extra bandwidth.D-Link is a Taiwanese based company that manufactures wireless and Ethernet products for the home and small office environment. Whilst not a deliberate attempt at sabotage Kamp’s time server D-Link routers were configured to directly query over 40 stratum 1 servers.The disagreement lasted fro nearly six months where in 2006 D-Link and Kamp announced they had come to an agreement and D-Link have reconfigured their new routers but little can be done about the existing products out there.A new defense has subsequently been added to NTP which responds to an authorized request with a packet explicitly requesting the client server stops requesting. This packet has been dramatically called the Kiss-of-death - KOD.Unfortunately the new requirements of the NTP protocol do not work retrospectively, and old clients and implementations do not recognize KoD it and at the moment there are not any technical means to counteract the misuse of NTP servers.