At Usenix: Did the Shark Eat the Watchdog in the NTP Pool? Deceiving the NTP Pool’s Monitoring System
https://www.usenix.org/conference/usenixsecurity23/presentation/kwon
2 Likes
Read it, not impressed by it.
He seems to forget that many systems/monitors have links with GPS Stratum1 servers or have GPS signals themselves.
You can fool a monitor that a tested server is wrong and it will be put offline.
However, this will not affect the pool itself, nor the monitor system.
I order to disrupt the pool and disrupt time, you need to compromise GPS, Atomic-clocks, Radio-signals and other Stratum0 sources.
I doubt those sources can be attacked from outside or be set wrong via attacking or injecting.
As I stated many times before, if time is that critical to you systems buy your own GPS.
My monitors are fed by GPS (2 of them with PPS), and those lines are the preferred-lines, others are just set as backup. Good luck getting them to get wrong in time-keeping.
I keep saying, it’s near impossible to disrupt the pool, too many Stratum0/1 sources that tell the right time.
Also most Stratum2 servers connect directly to multiple Stratum1 servers.
Providers today have also multiple peers going into all sorts of directions, you need to hack the ISP of and NTP-server/monitor to make this happen. But then you got just 1 ISP/Monitor.
Even over Atlantic-lines, there are hundreds of them, you have to get in the middle of all of them.
No way this works. Else it would have happened already, it didn’t up-to today.
Small storm is a bucket of water 
GPS/GNSS can be spoofed terrestrially (at least the civilian version). Radio signals can be spoofed. Atomic clocks provide frequency, not time (e.g. PPS but not UTC).
Good luck doing that. As for the signals, there is no difference anymore between military and civilian.
It’s pretty simple to jam GPS signals, but to fake them is a different story.
Chrony for one will notice the GPS is wrong compared to it’s own ticks.
As for Atomic clocks, I know they provide PPS, but one set on UTC (can be done by hand), it will impossible to make them tick wrong if external lines are not used for timekeeping.
Let me ask you this, what will NTS change in this? As when you manage to spoof GSP or and Atomic-clock, the NTS will transfer the wrong time, just as NTP will.
Was anyone ever able to do this? Gallileo was designed to keep time no matter what and not controlled by anyone. So even if GPS/GNSS is set wrong by the military, the Gallieo signal will be correct.
Last I heard, GPS isn’t being manipulated anymore, it should be the same on accuracy. However the military signal is probably harder to jam.
But I could be wrong 
I wasn’t responding regarding NTS. I was responding to the assertion that the pool cannot be manipulated. Most stratum one servers in the pool are using GNSS. Depending on the particulars of the receiver, it can indeed be susceptible to terrestrial spoofing. The US stopped randomizing the low bits of the civilian GPS signal over two decades ago, increasing accuracy, but that has nothing to do with authentication, which the GPS military signal provides via encryption techniques unknown to most of us. A GPS/GNSS receiver could detect the easiest GPS spoofing by comparing with non-GPS GNSS sources, but a sophisticated attacker can still force civilian GNSS receivers to get the wrong position (hence time) by spoofing more than one constellation.
Search the web for “GPS spoofing” and filter out the hits for software to spoof a smartphone’s position for more details, for example:
I know it can be done.
But still, it will be just a few local servers, not the entire system.
That is my point.
You can spoof my GPS’ses and give them wrong time, however, Chrony will notice this and use other Stratum1 servers that are e.g. 2000Km away. You can not spoof those at the same time.
That is the entire point of the pool, there is so much backup of correct time, it’s impossible to bring it down the way this person describes.
Sure, if you hack the pool-servers (Ask’s servers) it can be done.
Still, it doesn’t matter if it’s NTP or NTS, as this paper talks about security…but keeps insisting the Man-In-The-Middle attacks will work. Yeah it will, for a few servers, not the pool.
It’s too global to attack, too many correct sources. That is why I don’t agree with the paper presented.
Else it would have happened to the pool already. Never did or worked 
If all computers could have their own reference clocks, there would be no need for NTP. Try getting GPS signal in a typical server room or datacenter.
NTS is a significant improvement in security of NTP. MITM attackers cannot mess with your clock. Using multiple sources doesn’t change anything if the attacker can intercept all your traffic (e.g. someone in your local network or ISP).
The paper was briefly discussed before here.
1 Like
To get GPS into a datacenter is not that hard.
You can run a coax outside, or use a powered cable to a receiver and then import it into a datacenter.
I have been in de data center of Level3 in Dusseldorf, it’s not that hard to get an antenna out.
You need to hack Level3 to keep them from providing correct time. I do not see that happening. NTS or NTP protocol.
1 Like