A Devil of a Time: How Vulnerable is NTP to Malicious Timeservers?

—The Network Time Protocol (NTP) synchronizes time across computer systems over the Internet and plays a crucial role in guaranteeing the correctness and security of many Internet applications. Unfortunately, NTP is vulnerable to so called time shifting attacks. This has motivated proposals and standardization efforts for authenticating NTP communications and for securing NTP clients . We observe, however, that, even with such solutions in place, NTP remains highly exposed to attacks by malicious timeservers . We explore the implications for time computation of two attack strategies: (1) compromising existing NTP timeservers, and (2) injecting new timeservers into the NTP timeserver pool. We first show that by gaining control over fairly few existing timeservers, an opportunistic attacker can shift time at state-level or even continent-level scale. We then demonstrate that injecting new timeservers with disproportionate influence into the NTP timeserver pool is alarmingly simple, and can be leveraged for launching both large-scale opportunistic attacks, and strategic, targeted attacks. We discuss a promising approach for mitigating such attacks.