NTPd DOS attacks

Miscreants who earlier this week took down servers for League of Legends, EA.com, and other online game services used a never-before-seen technique that vastly amplified the amount of junk traffic directed at denial-of-service targets.

Rather than directly flooding the targeted services with torrents of data, an attack group calling itself DERP Trolling sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol (NTP). By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly amplify the firepower at their disposal. A spoofed request containing eight bytes will typically result in a 468-byte response to a victim, a more than 58-fold increase.              [Ars Technica]

Servers running TimeKeeper would diagnose such attacks early and ignore them.  In fact, whether TimeKeeper is serving NTP or Precision Time Protocol (PTP) it will shrug off many of the exploits that can bring down networks running free software time synchronization. The ubiquitous NTPd free server and client software is designed to expect a well controlled network with a limited range of possible errors and, certainly, without malicious requests.  TimeKeeper is designed for an enterprise environment where infrastructure failures are not tolerable.    The protocols simply define how clock updates are distributed on the network and the format of the packets, they do not solve problems of network robustness or security. Security, failover, audit trail, manageability and other critical enterprise service properties are the responsibility of the software that implements these protocols.

Managers of enterprise networks that depend on time distribution and synchronization need to determine whether these are critical services or not. If not, then lack of instrumentation, legacy security holes, and in-house patching may be acceptable. On the other hand, if timing is a critical service, then enterprise qualified software components are not optional. This issue should be of particular concern to firms that offer their own customers time as a service because failures on the customer side might be perceived by customers as a failure in the service itself and those failures may even blowback into the provider network.