[ntp:security] Possible rogue timer

Joseph Parmelee jparmele at wildbear.com
Fri Feb 1 18:41:49 UTC 2013

Good afternoon:

It appears we might have a rogue timer at as indicated by this

bruno1:root ~# host 1.pool.ntp.org; sntp 1.pool.ntp.org; date
1.pool.ntp.org has address
1.pool.ntp.org has address
1.pool.ntp.org has address
1.pool.ntp.org has address
  1 Feb 10:36:49 sntp[1569]: Started sntp
  2013-02-01 10:36:49.825685 (+0600) +0.071919 +/- 0.055695 secs
  2013-02-01 10:36:50.337036 (+0600) +0.310621 +/- 0.038986 secs
  2013-02-01 10:36:50.463557 (+0600) +0.064400 +/- 0.048218 secs
  2013-02-01 10:36:50.640997 (+0600) +0.08024 +/- 0.030884 secs

Note that it claims an accuracy much better than its actual performance.

Also note that this run shows my machine (which is not in the pool) to be
slow by some tens of milliseconds as indicated by the other members.  This
run was taken after my system had been locked onto; my pll
freq prior to that had been running a stable 23-25 ppm (depending on cpu
temp mainly) with estimated error below 20 ms.  It then locked onto one of
the other members but the pll freq was only at 9 ppm which indicates it was
considerably slower before, probably negative.  Unfortunately I don't have
the pll freq number while locked to

But this morning I again found my system locked onto and slow
relative to the other members by A WHOPPING 0.451 seconds!!.  At the same
time my pll freq was up to 75 which should have made it fast.

I can only conclude that is periodically going into some kind
of positive feedback oscillation.  My system had been running very stably
for many months until they appeared on the scene.

Please keep these guys out of the pool until they get it together as they
are very disruptive to anyone who tries to use them.


Joseph Parmelee
Network Administrator
Wild Bear Systems

PS This machine does not appear in a reverse-dns and it
doesn't respond to pings or traceroutes (the others do).  Lacnic shows the
number registered to ICE Costa Rica, but that really tells as little; so is
my IP (, and it doesn't show in reverse-dns either.  The
reverse-dns is ICE's responsibility.  I can only affect the forward-dns

More information about the security mailing list