Time Keeps on Slippin'
On Tuesday, November 20th, routers, switches and servers across the Internet reset themselves (or attempted to reset themselves) back to the year 2000. This sudden change was caused by a reboot of the time server at the US Naval Observatory. Timing is extremely important to Internet communications, to that end most network devices use a protocol known as Network Time Protocol (NTP) to ensure they are running at the correct time. NTP operates over UDP 123 and reaches out to a designated device to maintain time sync. There are volunteer hosts throughout the Internet, such as the one at the US Naval Observatory, that make themselves available for network administrators to sync their servers. When the reboot of the NTP server at the US Naval Observatory occurred the server set itself back to the year 2000 and when network devices across the Internet checked in for an NTP update the clocks tried adjust themselves back to the year 2000 (many devices will not allow such a large time jump without a confirmation). This caused message board and mailing lists all over the Internet to light up with confused network administrators wondering what happened. SANS even posted about it on their Internet Storm Center blog (http://isc.sans.edu/diary.html?n&storyid=14548).
This episode highlights a problem that too many security administrators ignore: Being too reliant on “set it and forget it” services that our outside of their control. There has, rightfully, been a lot of discussion around securing connections to cloud providers, but too often critical communication paths, such as NTP, DNS, and YUM are left to the default settings with no thought given to the security of that communication
Too many network devices simply walk the user through the set up process leaving default settings in place with no one tracking those communications or understanding the hosts that are on the other side of those requests. Instead of centralizing control over critical protocols such as NTP and DNS there are calls made to untrusted (though they may be well-established) hosts. Knowing these default settings and updating them so these devices only communicate to other hosts within your network will go a long way toward improving the security of your “set it and forget it” services.