Home & Office

​Secure Network Time Protocol goes beta

Network Time Protocol is a vital part of the Internet that's recently been used in major DDoS attacks. To keep it from misused in the future, the first secure version of NTP beta has just been released.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Without Network Time Protocl (NTP) the Internet couldn't work. With it, though, some of the worst Distributed Denial of Service (DDoS) attacks ever have crippled parts of the Internet. The answer? The NTP Security Project's first public development release of NTPsec.

NTPsec logo
NTP is one of those quiet but essential, parts of the global Internet. It's what keeps servers and PCs around the world on time. It's what enables backups to work, your credit-card purchase to go through, and keeps many other fundamental network services working. The primary time-keepers of the net are stratum-0 devices, i.e. atomic clocks. NTP uses them to set the time for almost all Internet-connected devices.

Unfortunately, like other fundamental parts of the Internet, NTP development was neglected for years. Until recently, NTP development and maintenance had no funding to speak of. NTP relied entirely on a single developer working on it part-time.

Fortunately, the Core Infrastructure Initiative (CII) stepped in to fund both NTP and its sucessor, NTPSec. Since then, with additional support from the Center for Trustworthy Scientific Cyberinfrastructure and Indiana University's Center for Applied Cybersecurity Research, the following steps forward have been made with NTP:

  • Migrated NTP's development history from a proprietary repository with severe access limitations to a publicly-accessible git repository. This included reconstruction of data that was obfuscated by previous unclean migrations between source control systems.
  • Modernized NTP's build and test infrastructure in order to make it more stable and more accessible to developers. The build system reduction in complexity was itself incredible: 31,000 lines of kludgey, brittle code were reduced to 884 lines that were clean, modern, and reliable.
  • Created documentation suitable for on-boarding new developers. Previously NTP's documentation was both incomplete and years out of date/ This crippled NTP's ability to bring additional developers to bear on its problems.
  • Significantly improved NTP's aging codebase's maintainability and security.

The NTPSec beta, NTPsec 0.9, is now ready for open-source developers to work with and to government, corporate, and academic software and IT labs for feedback. It is not ready for prime time.

Eric S. Raymond, one of the project's lead developers, wrote on his blog, "This is an initial beta and has some rough edges, mostly due to the rather traumatic (but utterly necessary) replacement of the autoconf build system. Also, our range of ports is still narrow; if you're on anything but Linux or a recent FreeBSD the build may not work for you yet. These things will be fixed. However, the core function -- syncing your clock via NTP -- is solid, and using 0.9.0 for production might be judged a bit adventurous but wouldn't be crazy."

Raymond continued, "Most of the changes are under the hood and not user-visible. ... The most important change you can't see is that the code has been very seriously security-hardened, not only by plugging all publicly disclosed holes but by internal preventive measures to close off entire classes of vulnerabilities."

In the meantime, I encourage ordinary system administrators, in the strongest possible terms, to update to the latest version of NTP. Today, November 17, 2015, that's ntp-4.2.8p4. If you have access to your network's firewall, you should implement BCP38's Ingress and Egress filtering to help prevent your NTP servers from being used in DDoS attacks.

Further betas will be coming out soon. Within a few months, NTPsec will be ready for production use. Come that day, I'll urge all of you to switch over to NTPsec as soon as possible. Even with security improvements, vanilla NTP is no longer safe enough for long-term use in today's attacker-filled Internet.

Related Stories:

Editorial standards