Robert Beverly (San Diego State University), Erik Rye (Johns Hopkins University)
Internet services and applications depend critically on the availability and accuracy of network time. The Network Time Protocol is one of the oldest core network protocols and remains the de facto mechanism for clock synchronization across the Internet today. While multiple NTP infrastructures exist, one, the ``NTP Pool,'' presents an attractive attack target for two basic reasons, it is: 1) administratively distributed and based on volunteer servers; and 2) heavily utilized, including by IoT and infrastructure devices worldwide. We gather the first direct, non-inferential, and comprehensive data on the NTP Pool, including: longitudinal server and account membership, server configurations, time quality, aliases, and global query traffic load.
We gather complete and granular data over a nine month period to discover over 15k servers (both active and inactive) and shed new light into the NTP Pool’s use, dynamics, and robustness. By analyzing address aliases, accounts, and network connectivity, we find that only 19.7% of the pool’s active servers are fully independent. Finally, we show that an adversary informed with our data can better and more precisely mount “monopoly attacks” to capture the preponderance of NTP pool traffic in 90% of all countries with only 10 or fewer malicious NTP servers. Our results suggest multiple avenues by which the robustness of the pool can be improved.