NTP Vandalism

Solutions to the Misuse and Abuse of NTP Servers

NTP servers, like most systems are open to abuse and misuse. NTP servers can be flooded with traffic (a distributed denial of service - DDoS attack), the server's access policy could be violated or the NTP rules of engagement drawn up to prevent misuse of time servers could be breached.

The abuse of NTP servers has received much attention of late due primarily to the case of D-link and a Danish Stratum 1 NTP server run by Poul-Henning Kamp. Mr Kamp noticed a huge rise in traffic to his time server, which at the time was the only Danish stratum 1 server available to the general public.

He discovered that up to 90 percent of the traffic was coming from D-Link router products that were latching on to his stratum 1 server for a time reference.

Normally only stratum 2 servers should connect to stratum 1 server and perhaps some servers where applications require more precision than that of a normal computer network, which can receive its time code via a multitude of sources.

In many countries, timekeeping services are provided by a government agency (such as NPL in the UK or NIST in the US). As there is no Danish equivalent, Kamp provided his time service to the general public in return his ISP agreed to provide a free connection the assumption that the bandwidth involved would be relatively low. With the increased traffic caused by the D-Link routers, his ISP then requested Kamp pay for the extra bandwidth.

D-Link is a Taiwanese based company that manufactures wireless and Ethernet products for the home and small office environment. Whilst not a deliberate attempt at sabotage Kamp's time server D-Link routers were configured to directly query over 40 stratum 1 servers.

The disagreement lasted fro nearly six months where in 2006 D-Link and Kamp announced they had come to an agreement and D-Link have reconfigured their new routers but little can be done about the existing products out there.

A new defense has subsequently been added to NTP which responds to an authorized request with a packet explicitly requesting the client server stops requesting. This packet has been dramatically called the Kiss-of-death - KOD.

Unfortunately the new requirements of the NTP protocol do not work retrospectively, and old clients and implementations do not recognize KoD it and at the moment there are not any technical means to counteract the misuse of NTP servers.

About the Author

Richard N Williams is a technical author and a specialist in the telecommunications and network time synchronisation industries. For more information about NTP servers please visit the Galsys homepage.

This article may not be republished or reprinted in its complete form or in part without seeking permission providing a relevant link to this site is maintained. It is a violation of copyright law to reprint or publish this content without following these terms.

Copyright © 2008

English French German Italian Spanish Portuguese Russian Swedish Dutch Norwegian Arabic Malay Polish Turkish Danish

Quick Enquiry

Quick Contact Form

Fill in the form or call 0121 608 7230 for more information on how a Galleon Time Server can work for you.




We respect your privacy - read our policy.

Popular Products

GPS NTP Server

GPS NTP Server

A Network timeserver using the GPS signal to synchronise time across large computer networks.

NTP Network Clock

Network Clock Display

The perfect partner for any Galleon NTP server or time server. Display Consistent and accurate time throughout your organization.

Network Time Server

MSF NTP Server

A complete solution for synchronising the time across any computer network.

Time Server

GPS Network Time Server

GPS clock providing time synchronisation for computer systems

Time Receiver

MSF Time Receiver

A complete solution for synchronising the time on a single computer to the MSF (radio) atomic time signals.