[ntp:questions] NTPD concurrent clients limit

David L. Mills mills at udel.edu
Thu Jul 31 13:46:26 UTC 2008


Richard,

There have been several surveys of the public NTP subnet beginning from 
1997. The results then are reported in a briefing and paper available at 
  the NTP project site. Surveys of this kind are discouraged in modern 
times as they set off intrusion alerts and nasty complaints. Once upon a 
time it was chic to observe that the Sun never sets on NTP, but suffice 
to say now that NIST estimates 25 million NTP clients of their public 
servers now.

Dave

Richard B. Gilbert wrote:

> Unruh wrote:
> 
>> "Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>>
>>> Unruh wrote:
>>>
>>>> "Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>>>>
>>>>> j. wrote:
>>>>>
>>>>>> Hi all,
>>>>>> I'm testing an embedded linux device, which implement an NTP server,
>>>>>> based on the ntpd demon.
>>>>>> It looks like ntpd accepts only a limited number of requests from a
>>>>>> test clientIi've set up.
>>>>>> Do you know if there's such limit or what's the logic behind it?
>>>>>> Maybe ntpd rejects bursts of requests coming from the same IP?
>>>>>>
>>>>>> Thanks in advance,
>>>>>> Gianandrea Gobbo.
>>>>>
>>>>> If you poll the server continuously at intervals of less than 64 
>>>>> seconds, most modern NTP servers will send you a "Kiss of Death" 
>>>>> packet.
>>>>> Polling this frequently is considered abusive!  It's also 
>>>>> unnecessary, NTP is designed to work with poll intervals between 64 
>>>>> seconds and 1024 seconds and will adjust its poll interval within 
>>>>> that range as needed.
>>>>
>>>> His question can be rephrased, what does ntpd do after it has sent 
>>>> the Kiss of Death?
>>>> does it drop all subsequent packets? -- That sounds like a huge cost 
>>>> on the
>>>> ntp server-- ie imagine a popular server with 10,000 machines it has 
>>>> sent
>>>> the KoD to. It then has to scan that whole list for each packet to 
>>>> see if
>>>> it is in there-- something which takes time and destroys the ability 
>>>> of ntp
>>>> to deliver its time base rapidly.
>>>>
>>>> Note that how ntpd handles this situation depends on which version 
>>>> of ntpd
>>>> you are running.
>>>>
>>>>
>>>>> There are two exceptions to the above.  You may specify the 
>>>>> "iburst" keyword for a server and NTPD will send an INITIAL burst 
>>>>> of eight request packets at intervals of two seconds.  This is 
>>>>> designed for fast startup.  After the initial burst, polling 
>>>>> continues at intervals between 64 and 1024 seconds.
>>>>
>>>> So how does the server know whether this burst is an iburst or is a 
>>>> rogue
>>>> client to which it should send a KoD?
>>
>>
>>> Ntpd keeps a list of its clients.  It should be able to tell if a 
>>> particular client is initializing or is abusing the server.
>>
>>
>> And how would it tell? And how DOES it tell ( since there is a lot that
>> could have been programed in and wasn't). And why would it keep a list of
>> its clients. That could mean it would have to keep a lost of 1000000
>> clients,  and how does it prune the list? And how does it check that the
>> latest request is from an abuser, from a newcomer, or from a good guy?
>>
>>
>>
> 
> Ntpd can and does store the identity of several hundred client and with 
> the proper incantation can be made to divulge their identities.
> 
> Do you, by any chance, recall the NTP survey that was done in 2005 by a 
> man in Brazil?  He had a program that would "crawl the web" and locate 
> virtually all the systems that would respond to an ntpdc query (or maybe 
> it was ntpq he used).  In any case this crawler found several thousand 
> machines serving time and got a list of their clients. Each server 
> revealed it's connections to other servers and clients.
> 
> See http://www.ntpsurvey.arauc.br/ for the details.




More information about the questions mailing list