On Borrowed Time: Measurement-Informed Understanding of the NTP Pool's Robustness to Monopoly Attacks

TL;DR

This paper provides a comprehensive measurement-based analysis of the NTP Pool's structure, usage, and vulnerabilities, revealing its susceptibility to monopoly attacks and suggesting improvements for robustness.

Contribution

It offers the first detailed, longitudinal measurement study of the NTP Pool, analyzing server independence, configurations, and attack vulnerabilities.

Findings

Only 19.7% of active servers are fully independent.

An informed adversary can mount monopoly attacks in 90% of countries.

The NTP Pool's robustness can be improved through specific measures.

Abstract

Internet services and applications depend critically on the availability and acc uracy of network time. The Network Time Protocol (NTP) is one of the oldest core network protocols and remains the de facto mechanism for clock synchronization across the Internet today. While multiple NTP infrastructures exist, one, the "NTP Pool," presents an attractive attack target for two basic reasons, it is: 1) administratively distributed and based on volunteer servers; and 2) heavily utilized, including by IoT and infrastructure devices worldwide. We %develop measurements to gather the first direct, non-inferential, and comprehensive data on the NTP pool, including: longitudinal server and account membership, server configurations, time quality, aliases, and global query traffic load. We gather complete and granular data over a nine month period to discover over 15k servers (both active and inactive) and shed new light into the NTP Pool's use, dynamics, and robustness. By analyzing address aliases, accounts, and network connectivity, we find that only 19.7% of the pool's active servers are fully independent. Finally, we show that an adversary informed with our data can better and more precisely mount "monopoly attacks" to capture the preponderance of NTP pool traffic in 90% of all countries with only 10 or fewer malicious NTP servers. Our results suggest multiple avenues by which the robustness of the pool can be improved.