Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Four Flaws Expose Critical Network Time-Keeping Servers to Attack

    Written by

    Robert Lemos
    Published December 23, 2014
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Four security vulnerabilities in a popular program for synchronizing time on Internet-connected computers could be used to compromise tens of thousands — and possibly millions—of servers, according to security experts.

      The vulnerabilities are in the ntpd server program, which is a popular open-source service used on Linux servers and other systems to implement the Network Time Protocol, or NTP. As of March 2014, some 4.6 million computers on the Internet were running the NTP service, according to data from the Shadowserver Foundation, a group that tracks botnets and other cyber-attack infrastructure.

      By conducting their own scans or using online services to scan the Internet, would-be attackers could build a list of vulnerable systems, Jason Trost, director of security firm ThreatStream, told eWEEK.

      “You can get a huge list of targets that could be identified from other sources,” he said. “Using that, you could quickly gain a foothold, exploit these machines and really use them for whatever purpose you wanted.”

      On Dec. 19, the U.S. Computer Emergency Readiness Team (US-CERT) and other response organizations alerted companies and users to the flaw in the popular NTP program. There are four vulnerabilities, but only one appears remotely exploitable, according to the advisory.

      Major software vendors were notified of the vulnerabilities by Google, whose researchers found the original flaws. NTP.org, the group that maintains the ntpd software, released an updated version on Dec. 19.

      NTP has gained some recent notoriety for its use as a mechanism for generating massive denial-of-service attacks. Using a technique known as an amplification attack, a miscreant could send an NTP server a small request and get back a much larger response. By spoofing the target’s Internet address as the source of the original request, the larger response is sent to the target. By repeating the technique with millions of requests to different NTP servers, an attacker can take down sites with very large bandwidth capacities.

      Not all programs that implement NTP are vulnerable to each of the flaws. Another popular program for implementing NTP, openntpd, was written from the ground up to be much more concise than ntpd and does not have the most serious vulnerabilities, Theo de Raadt, the founder of OpenBSD, said in an online statement. OpenBSD, an open-source version of the Unix operating system, uses openntpd for handling network time synchronization.

      In his message, de Raadt criticized ntpd as an outdated program. Compared with the less than 5,000 lines of code it took to write openntpd, ntpd has grown to more than 190,000 lines of code over the years.

      Ntpd is created using “unknown or largely unused code, poorly smithed in the past when these kinds of programming mistakes were not a significant consideration.”

      While anyone can check open-source code for vulnerabilities, wading through nearly 200,000 lines of code is a monumental task for any team of programmers. Yet, for such a critical piece of infrastructure, weeding out vulnerabilities is important, ThreatStream’s Trost said.

      “Simplicity is better for eliminating surface area for vulnerabilities,” he said. “The fewer lines of code and functionality, the less likelihood that vulnerabilities can hide in the code.”

      Robert Lemos
      Robert Lemos
      Robert Lemos is an award-winning journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×