[ntp:hackers] Sniffing out SNTP varmits

David L. Mills mills at udel.edu
Fri Jan 25 03:42:53 UTC 2008


Guys,

I've been thinking about how to detect whether a server truly conforms 
to the NTP specification or does not. In other words, how to sniff out 
an SNTP varmint operating above stratum 1 and acting improperly as a server.

1. If the varmint responds to ntpq it is surely the reference 
implementation or another conforming to the specification and supporting 
the control message protocol. I can't imagine why an SNTP implementation 
would go to the trouble to support that and not go all the way to 
implement the full spec. On the other hand, the reference implementation 
might have restricted control messages.

2. SNTP implementers are not likely to go to the trouble to fuzz the 
low-order bits of NTP timestamps. A statistical analysis of the 
low-order 12 bits of the timestamp is not random, the varmint is 
probably breaking the rules.

3. The reference implementation strikes separate timestamps for the 
receive and transmit timestamps. SNTP implementers are likely to set 
both the receive and transmit timestamp to the same value, which would 
finger the varmint as breaking the rules.

3. SNTP implementers are probably not taking the root delay and root 
dispersion seriously. If these don't change in small ways from packet to 
packet, of if the root dispersion does not show a sawtooth behavior as 
packets are received, the varmint is probably breaking the rules.

4. A careful SNTP implementers will probably heed the advice to respond 
to previous NTP versions. The reference implementation sneakily does not 
respond to version 1 packets. (It wouldn't work properly if it did.)

5. SNTP implementers are not likely to include symmetric modes. They 
require the server to retain state. However, a sloppy SNTP varmint can 
do just like Windows used to do and simply treat symmetric mode packets 
like client/server packets. These are readily detected.

6. A careful analysis of the server time series over a day or so reveals 
a surprisinig amount of information. Chapter 6 in das Buch has a graph 
for one of the NIST servers that call home once an hour using ACTS. The 
offsets shows discontinuities at hourly intervals and the frequency 
stays constant during the hour. No doubt it should be possible to 
fingerprint SNTP implmentations is ways like this.

These tests could be used in two ways. One or more can be put in the 
reference implementation with the intent to signal the system log when a 
varmint shows up. Used another way, they could be used as (one of) the 
acceptance criteria for a full NTP conformance.

Dave


More information about the hackers mailing list