[time] Traffic figures to servers removed from the pool

Tapio Sokura oh2kku
Mon May 17 20:21:46 UTC 2010 

Hello,

I removed two time servers from the pool on January 8, 2009. At that 
time they had both been in the pool for a several years, can't really 
remember the exact number. Now that it's been about 16 months since the 
servers were removed from the pool and public time service on one of 
those has finally been disabled a few days ago, I'd like to share some 
easily gathered numbers from the last days. I haven't saved any historic 
datapoints since the servers were removed from the pool, so no pretty 
graphs, just a few current numbers.

Host A: At the time of disabling time service, the ntpdc -c monlist 
listed the oldest client at 24,9 days. Which means that 600 different 
hosts had asked for the time within the last 25 days. There were 351 
hosts that queried the server within the last 24 hours and 314 within 
the last hour. So after 16 months of not being in the pool, there were 
still more than 300 faithful clients that regularly asked what the time 
was. Currently about 150 NTP packets are received per minute at that 
host, ICMP port unreachable is sent as a reply.

Host B: At the moment host B is still serving time to anyone who asks 
and the oldest entry on ntpdc -c monlist is 40,8 days old. 231 clients 
had asked for the time within 24 hours and 214 within the last hour. 
About 60 NTP packets are received per minute at this host.

The results are pretty much what I expected. Most of the clients go away 
pretty quickly, but apparently there are some hosts that have very long 
(ntpd) uptimes and some clients probably have hardcoded IP addresses in 
their configurations. I'm suspecting hardcoding also because quite many 
of the IP addresses on the monlist come from the same network/domain. 
I.e. a local admin has rolled up a configuration package that has 
hardcoded IP addresses in it and distributed it to a bunch of machines 
in the company. Or deployed an (S)NTP software package that ships with 
hardcoded IP addresses of time servers.

I'm also not surprised that many clients react to ICMP port unreachable 
replies by immediately sending one or more retry packets, as can be seen 
when looking at the traffic on a packet sniffer. Luckily apparently no 
client that was using host A uses an algorithm where every received ICMP 
port unreachable message triggers an immediate re-request.

So in summary, if you remove a server from the pool, you'll probably 
never get totally rid of incoming NTP traffic. This should surprise 
nobody. I certainly didn't expect the traffic to go away completely, but 
it goes down to being pretty insignificant volume-vise eventually.

   Tapio

More information about the pool mailing list