The Network Time Protocol is a standard protocol for the dissemination of time around a computer network. NTP was originally developed to synchronise Internet time clients. The protocol has a hierarchical structure, each level of the structure, or stratum, serves time to the level below. At the top of the protocol structure is a stratum-one network time server that synchronises to an external frequency source, such as GPS. There are a host of stratum 1 NTP time servers residing on the Internet for synchronising network time clients.



Over the last few years, there have been a number of NTP server abuse and misuse reports. This article discusses some of the reported NTP time server abuse incidents and describes NTP configuration methods that can reduce such problems. Many reported incidents seem to be because of equipment manufacturer configuration errors rather than malice.

Many NTP server misuse issues have arisen from client configuration errors, particularly in consumer electronic equipment. Due to the volume of consumer electronic equipment manufactured and in-use, any configuration issues with equipment that access NTP time servers can greatly magnify problems. Typically, clients with configuration errors or firmware bugs that cause repeated access to a network time server can cause server loading problems when a large number of clients are involved.

A recent high-profile incident of consumer electronic equipment causing NTP server problems was with consumer router equipment. Home router devices were accessing stratum 1 Internet time servers and flooding them with requests for time. Many NTP time server administrators noticed a large increase in traffic and server loading. Many stratum 1 NTP servers have an access policy that forbids anything other than a stratum 2 server from requesting time. Home router equipment should not therefore directly access a stratum 1 time server.

In another seperate NTP server abuse case, an Internet NTP time server resource was being swamped by increasingly larger volumes of requests for time. It was initially thought that this was due to an attack on the server. However, the amount of traffic continued to rise over time rather than decrease. It was eventually found that home router equipment manufactured by a large manufacturer had hard coded the NTP servers IP address in the products firmware. Each router in operation was contacting the server at regular intervals in an attempt to synchronise time. The volume of devices in operation eventually overloaded the server.

The NTP protocol implements a rather general-purpose address mask restricted use policy. This allows only IP addresses within a specified range or that fit a specified address mask access to a NTP time server. Alternatively, clients can be excluded from access by explicitly including them in a restriction list. Rogue clients can therefore be excluded access to the NTP server by explicitly restricting access.

Usually, the server drops NTP requests that are denied access. However, occasionally a harsher response is required. The time server can explicitly tell the client to stop sending with a special message. A 'kiss-o-death' packet has been created especially for this purpose. Kiss codes can convey useful information to an intelligent client. The packet contains character strings, that can be easily read in log files, that explain the denial of service. When a client receives a ?kiss-o-death' packet, it should stop sending to a particular server and locate an alternative server, if available. If no alternative server is available, the client should delay for an exponentially increasing time before retrying the server.