Time Risk
Off-Path Attack Vectors
Off-path attackers have no privileged network position. They cannot observe NTP traffic between a client and its upstream servers. The attacks on this page require only an internet connection and packet spoofing capability — no BGP manipulation, no ISP cooperation, no access to upstream infrastructure. They are accessible to any motivated adversary.
All vectors on this page carry published CVEs or peer-reviewed proofs of concept presented at NDSS or IEEE DSN.
Kiss-of-Death rate-limiting isolation
CVE-2015-7704 — the original flaw
The Kiss-of-Death (KoD) packet is NTP’s built-in rate-limiting mechanism. When a server receives queries faster than its configured threshold, it responds with a KoD packet instructing the client to stop querying. CVE-2015-7704 exploited a validation failure: ntpd did not verify the origin timestamp on incoming KoD packets. A blind attacker could spoof a KoD from each of a client’s configured upstream servers and disable synchronisation entirely with a handful of packets. The isolated client drifts freely on its local oscillator. No error state is surfaced to the operator. (Malhotra et al., NDSS 2016)
This specific flaw was patched in ntpd 4.2.8p4 in October 2015. The structural threat was not.
CVE-2015-7705 — "Priming the Pump" — unpatched by design
The patch for CVE-2015-7704 requires a valid KoD to mirror the client’s 64-bit transmit nonce, making spoofing impractical. CVE-2015-7705 bypasses this requirement entirely by manufacturing a legitimate KoD rather than spoofing one.
The attacker floods each of the victim’s upstream NTP servers with high-volume queries using the victim’s source IP address. The server’s rate-limiting mechanism triggers against that address. The victim’s next genuine query returns a fully valid, server-generated KoD — no nonce guessing required. Repeated against every configured upstream server, this completely isolates the client’s clock. (Malhotra et al., NDSS 2016)
No software patch addresses CVE-2015-7705. It is a consequence of the rate-limiting mechanism itself — a core feature of the NTP specification. Removing the mechanism would break interoperability with the global NTP infrastructure. The vulnerability cannot be resolved at the application layer.
The isolated client drifts freely at its uncontrolled hardware oscillator rate. No alert fires. The condition is indistinguishable from a routine network outage. Mean time to detection is measured in hours.
IPv4 fragmentation injection
If direct application-layer manipulation is not viable, the attack descends to Layer 3.
By sending spoofed ICMP “Fragmentation Needed” messages, an attacker forces an upstream NTP server to fragment its responses. The first fragment carries the legitimate NTP header, including the transmit timestamp the client uses as a nonce. The attacker then injects a spoofed second fragment with a fabricated time payload. The client’s IP stack reassembles the packet — legitimate first fragment, attacker’s second fragment — and the NTP daemon processes the result as a valid server response. (Malhotra et al., NDSS 2016)
The vulnerability is at Layer 3. The NTP daemon processes packets after the operating system’s IP stack has reassembled them. The daemon has no visibility into whether reassembly was tampered with. No version of NTP, and no NTP configuration change, closes this vector. The achievable time shift is bounded only by the attacker’s intent; steps of hours or days in either direction have been demonstrated in published research.
What these vectors mean operationally
An attacker who isolates a server’s clock via CVE-2015-7705 does not announce the attack. The server continues to report healthy NTP synchronisation — it believes it is synchronised because the last successful sync appeared valid. The clock drifts silently at the hardware oscillator’s uncompensated rate, typically 10–100 ms per day.
The consequences depend on what the server does. Within days, timestamp-based validity windows begin closing — API replay prevention, Kerberos authentication, or session token expiry depending on the system. Within a week, TLS certificates may begin failing validation on hosts with sufficiently drifted clocks. Distributed database nodes lose consistency with peers. DR failover decisions become unreliable. The monitoring system shows green throughout.
Recovery requires identifying that the clock is wrong, determining when it went wrong, and establishing which timestamps in the audit trail are affected. For any system where those logs are evidence — in a dispute, a regulatory examination, or an incident report — an unexplained gap in timestamp provenance is the argument the counterparty uses.
Banks and financial institutions
ISO 8583 — the international standard underlying credit card authorisations and interbank payment messages — uses transmission timestamps to prevent replay attacks. Acceptance windows are typically 15 to 60 seconds. Once a clock has been drifted outside that window, every outbound transaction is automatically rejected as stale or invalid. The bank's database is healthy. The network is connected. 100% of transactions are failing — and the operations team is diagnosing what appears to be a software bug.
CNX Precision Time closes both vectors through authenticated transport. NTS-KE derives per-session AEAD keys; all subsequent packets are bound to those keys. CVE-2015-7705 requires the attacker to generate valid queries on behalf of the victim — impossible without the session keys. IPv4 fragmentation injection requires controlling the reassembled payload — authenticated extension fields cause the client to reject any substituted packet immediately. DNS is removed from the synchronisation path entirely via a local hostname pin, eliminating the poisoning precondition.