[ntp:hackers] Sniffing out SNTP varmits
David L. Mills
mills at udel.edu
Fri Jan 25 03:42:53 UTC 2008
Guys,
I've been thinking about how to detect whether a server truly conforms
to the NTP specification or does not. In other words, how to sniff out
an SNTP varmint operating above stratum 1 and acting improperly as a server.
1. If the varmint responds to ntpq it is surely the reference
implementation or another conforming to the specification and supporting
the control message protocol. I can't imagine why an SNTP implementation
would go to the trouble to support that and not go all the way to
implement the full spec. On the other hand, the reference implementation
might have restricted control messages.
2. SNTP implementers are not likely to go to the trouble to fuzz the
low-order bits of NTP timestamps. A statistical analysis of the
low-order 12 bits of the timestamp is not random, the varmint is
probably breaking the rules.
3. The reference implementation strikes separate timestamps for the
receive and transmit timestamps. SNTP implementers are likely to set
both the receive and transmit timestamp to the same value, which would
finger the varmint as breaking the rules.
3. SNTP implementers are probably not taking the root delay and root
dispersion seriously. If these don't change in small ways from packet to
packet, of if the root dispersion does not show a sawtooth behavior as
packets are received, the varmint is probably breaking the rules.
4. A careful SNTP implementers will probably heed the advice to respond
to previous NTP versions. The reference implementation sneakily does not
respond to version 1 packets. (It wouldn't work properly if it did.)
5. SNTP implementers are not likely to include symmetric modes. They
require the server to retain state. However, a sloppy SNTP varmint can
do just like Windows used to do and simply treat symmetric mode packets
like client/server packets. These are readily detected.
6. A careful analysis of the server time series over a day or so reveals
a surprisinig amount of information. Chapter 6 in das Buch has a graph
for one of the NIST servers that call home once an hour using ACTS. The
offsets shows discontinuities at hourly intervals and the frequency
stays constant during the hour. No doubt it should be possible to
fingerprint SNTP implmentations is ways like this.
These tests could be used in two ways. One or more can be put in the
reference implementation with the intent to signal the system log when a
varmint shows up. Used another way, they could be used as (one of) the
acceptance criteria for a full NTP conformance.
Dave
More information about the hackers
mailing list