Question Can a NTP server contain a virus?

Toggle sidebar Toggle sidebar
Sort by date Sort by votes
B

bill001g

Titan
Aug 9, 2012
28,772
2,898
125,640
NTP is a pretty simple function. It only transfers the time and it does calculations to fix it based on the latency. Now in theory if there bug in the implementation of the NTP server in the router and the remote server was also compromised it could attempt to send some code fragment rather than the time that would somehow overlay memory in the router. Highly unlikley and routers are pretty stupid boxes its not like they run programs that are loaded from disk or something. All the function are in the software image when it loads and it can not be changed without rebuidling the router software image. Just a simple change to fix a typo in some screen in the router requires you to re compile and re link the router OS.
 
  • Like
Reactions: ditrate
Upvote 0 Downvote
alceryes

alceryes

Splendid
Jun 11, 2004
4,369
942
27,090
I don't think it's possible for the NTP protocol to carry a virus.
Your router is looking for a specific set of data when it checks for NTP, even if the NTP address went to a malicious entity it can't do anything over the NTP protocol that could affect your router, other than set an incorrect time/date, perhaps? There are a couple of Linux/Unix time bombs in 2036 and 2038 that, if a router was set to that, they may reboot and/or become unusable...? This is a stretch though.

However, the entity at the other end of the URL may log your IP address for followup breech attempts. To be safe, use one or more pool.ntp.org addresses.
 
  • Like
Reactions: ditrate
Upvote 0 Downvote
ditrate

ditrate

Great
Sep 4, 2022
122
1
85
It
bill001g said:
NTP is a pretty simple function. It only transfers the time and it does calculations to fix it based on the latency. Now in theory if there bug in the implementation of the NTP server in the router and the remote server was also compromised it could attempt to send some code fragment rather than the time that would somehow overlay memory in the router. Highly unlikley and routers are pretty stupid boxes its not like they run programs that are loaded from disk or something. All the function are in the software image when it loads and it can not be changed without rebuidling the router software image. Just a simple change to fix a typo in some screen in the router requires you to re compile and re link the router OS.
Click to expand...
It's a bridge router (no DNS or NAT is enabled).
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,772
2,898
125,640
Not sure how that would even work.

When you set a device to bridge mode it barely even has a local IP to admin it. They generally have no ability to talk to anything on the internet because most these device do not even have the concept of gateway, they barely function on the same subnet.

Now some cable modems have a special ability to talk to the ISP using other protocols and can get their time set but this is all part of the ISP management of modem not something you can mess with even if you wanted to.
 
Upvote 0 Downvote
alceryes

alceryes

Splendid
Jun 11, 2004
4,369
942
27,090
ditrate said:
It's a bridge router (no DNS or NAT is enabled).
Click to expand...
In bridged mode your router is effectively just an addressable switch. Functionality will vary from device to device and manufacturer to manufacturer, but most route services don't even operate in bridged mode. Can you telnet/SSH to your router and see if the NTP service is even running?

Note that in bridged mode, your router may not even be addressable (dumb switch). In passthrough mode your router would remain addressable by your ISP in certain instances and may (or may not) be addressable by you. Unfortunately, ISPs play fast and loose with the 'bridged' and 'passthrough' terms so exact definition depends on the ISP in question.
 
Last edited:
Upvote 0 Downvote
ditrate

ditrate

Great
Sep 4, 2022
122
1
85
alceryes said:
In bridged mode your router is effectively just an addressable switch. Functionality will vary from device to device and manufacturer to manufacturer, but most route services don't even operate in bridged mode. Can you telnet/SSH to your router and see if the NTP service is even running?

Note that in bridged mode, your router may not even be addressable (dumb switch). In passthrough mode your router would remain addressable by your ISP in certain instances and may (or may not) be addressable by you. Unfortunately, ISPs play fast and loose with the 'bridged' and 'passthrough' terms so exact definition depends on the ISP in question.
Click to expand...
You trying to say that, if my ISP don't have good protection for it's consumers over the internet - I am in a big trouble?
 
Upvote 0 Downvote
ditrate

ditrate

Great
Sep 4, 2022
122
1
85
bill001g said:
Not sure how that would even work.

When you set a device to bridge mode it barely even has a local IP to admin it. They generally have no ability to talk to anything on the internet because most these device do not even have the concept of gateway, they barely function on the same subnet.

Now some cable modems have a special ability to talk to the ISP using other protocols and can get their time set but this is all part of the ISP management of modem not something you can mess with even if you wanted to.
Click to expand...
So, with my hardware I pretty much on a safe side?
 
Upvote 0 Downvote
alceryes

alceryes

Splendid
Jun 11, 2004
4,369
942
27,090
ditrate said:
You trying to say that, if my ISP don't have good protection for it's consumers over the internet - I am in a big trouble?
Click to expand...
If you just have a cable modem in place, and want to place the router in bridged or passthrough mode, then yes, you should have some other device (security appliance/firewall/router) in between you and the internet. For one thing, you'll have issues with multiple devices trying to get the (usually) one WAN IP given by your ISP.

One reason your ISP gives you a router is for the security it provides. If you place it in bridged mode, that's on you.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,772
2,898
125,640
I doubt you can get a device that is setup in bridge mode to even talk to a NTP server.

There is no way to tell, All this stuff would depend on how the vendor implemented it. Almost everything I have seen is when you set it to bridge mode all it does it that simple function. It converts data from the WAN port to the LAN port, normally you do this when the wan port is some other media like coax cable or fiber. If they are both ethernet all you have done is make your box into a dumb switch. In most cases a switch has no ability to talk to things on the internet. I know from trying this with my routers the NAS and VPN screens are all locked out and you can not use these features.
 
Upvote 0 Downvote
H

hotaru.hino

Glorious
Sep 1, 2020
9,834
3,580
46,090
A thing with viruses is that they must be executed in order to actually work. Requesting something from a server is almost always treated as data first, then depending on what the data actually is, gets treated as something executable.

So unless the application's implementation of handling an NTP server response is piss poor, it doesn't really matter what the server sends.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom