We identify two attacks on the Network Time Protocol (NTP)'s cryptographically-authenticated broadcast mode. First, we present a replay attack that allows an on-path attacker to indefinitely stick a broadcast client to a specific time. Second, we present a denial-of-service (DoS) attack that allows an off-path attacker to prevent a broadcast client from ever updating its system clock; to do this, the attacker sends the client a single malformed broadcast packet per query interval. Our DoS attack also applies to all other NTP modes that are `ephemeral' or `preemptable' (including manycast, pool, etc). We then use network measurements to give evidence that NTP's broadcast and other ephemeral/preemptable modes are being used in the wild. We conclude by discussing why NTP's current implementation of symmetric-key cryptographic authentication does not provide security in broadcast mode, and make some recommendations to improve the current state of affairs.
These issues were discussed as part of the security release of ntpd 4.2.8p6. We do not recommend the use of NTP's broadcast mode, unless both the broadcast clients and the broadcast server are protected by a firewall.
paper (Appears in SIGCOMM Computer Communications Review (CCR), April 2016.)
Deja Vu Attack (CVE-2015-7973)
Authenticated Preemptable Modes Denial-of-Service Vulnerability (CVE-2015-7979)
This research was first disclosed on October 7, 2015 and made public on January 19, 2016.