[ntp:questions] Very rapid polling

Richard B. Gilbert rgilbert88 at comcast.net
Wed Feb 11 04:16:28 UTC 2009

Unruh wrote:
> "Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>> Unruh wrote:
>>> "Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>>>> jlevine wrote:
>>>>> In the last few days I have seen an increasing number of systems that
>>>>> are requesting the time in NTP format several times per second. This
>>>>> poll interval is far in excess of the usual best practices. Since
>>>>> there are a number of such systems, it is possible that this problem
>>>>> is a result of a new version of NTP that has just been released.
>>>>> Please let me know if you have any information about a new version of
>>>>> NTP that can do this or if any of you are seeing the same problem.
>>>>> Thanks.
>>>>> Judah Levine
>>>>> Time and Frequency Division
>>>>> NIST Boulder
>>>> Have you captured the IP addresses of the systems involved?  If so, have 
>>>> you identified the ISP responsible for those addresses?  Complained to 
>>>> the ISP?  Etc, etc?
>>>> The half witted will always be with us. . . .
>>> There is no way you can set up ntpd so that it will poll many times a
>>> second, unless there is a severe bug in ntp. He is asking if perhaps such a
>>> bug exists in the latest version of ntpd ( since the latest version just
>>> came out a month ago, and latest devel version a week ago, this would be a
>>> sensible worry).
>>> Alternatively one of those modem manufacturers may have screwed up again,
>>> or some ntp  like program has come out that has such a default.
>>> I agree that asking the IP addressee what it is that they are running might
>>> work, but probably not.
>> It may take a while to get results but if the only alternative is to do 
>> nothing and suffer. . . .  The ISPs have the power to cut these idiots 
>> off at the knees!  Whether they are willing to do so is something you 
>> have to ask them.  They also have the ability to reduce a network 
>> address to a street address.  Again, you have to ask.  If you ask on 
>> NIST letterhead, your chances of being taken seriously are much improved.
> IF it is a bug in ntp, then the users are not idiots, unless using ntp
> makes you an idiot. If it is a bug in some other ntp software, then the
> users of that software are not idiots, unless use of that software per se
> makes you an idiot. If it is some modem manufacturer who has misapplied ntp
> on their modem/router, again the same applies. He is trying to find out if
> it is possible that such bugs exist, or than anyone else has seen them. 
>> As I recall my contract with Comcast, they can simply cut me off in 
>> response to just about any sort of abuse.  If nobody complains, I can 
>> get away with practically anything!
> Is a bug in the software "abuse"?

Yes!  It's customary to do some sort of minimal testing before 
distributing your software to the masses.

Given the past history; e.g. U-Wisconsin, Tardis, PHK vs. D-Link and a 
few other such incidents I'd say it's mandatory to do some pre-release 
testing of hardware, firmware, and/or software.  I'd say that it's also 
mandatory to read, and comply with, the relevant RFCs.

I doubt very much that ntpd has such a bug/misfeature!  The authors are 
very much aware of the potential problems and have done an excellent job.

It seems clear that the internet community needs a methodology for 
coping with such incidents.  Each time, it seems that a posse comitatus 
must be formed, the miscreants tracked down, and asked to fix their 
hardware, firmware, or software.  Sometimes, as in the U-Wisconsin 
incident it's not possible to track down all instances of the defective 

With the ever increasing use of the internet, the problems are only 
going to get worse!

More information about the questions mailing list