[ntp:security] Possible rogue timer

Joseph Parmelee jparmele at wildbear.com
Sun Feb 3 15:01:41 UTC 2013

On Sat, 2 Feb 2013, Danny Mayer wrote:

> Joseph,
> This is not a security issue with NTP. You need to report problems like
> this to the pool people, we are not responsible for the pool project.
> You should go to the pool web page http://www.pool.ntp.org/ and find out
> how to report this.
> If you are concerned that your NTP server is locking on to a rogue
> server then I suggest you block the address at your firewall and then
> your NTP server will not be able to use it as a source of NTP time.
> Danny
> On 2/1/2013 1:41 PM, Joseph Parmelee wrote:
>> Good afternoon:
>> It appears we might have a rogue timer at as indicated by
>> this
>> run:
>> bruno1:root ~# host 1.pool.ntp.org; sntp 1.pool.ntp.org; date
>> 1.pool.ntp.org has address
>> 1.pool.ntp.org has address
>> 1.pool.ntp.org has address
>> 1.pool.ntp.org has address
>>  1 Feb 10:36:49 sntp[1569]: Started sntp
>>  2013-02-01 10:36:49.825685 (+0600) +0.071919 +/- 0.055695 secs
>>  2013-02-01 10:36:50.337036 (+0600) +0.310621 +/- 0.038986 secs
>>  2013-02-01 10:36:50.463557 (+0600) +0.064400 +/- 0.048218 secs
>>  2013-02-01 10:36:50.640997 (+0600) +0.08024 +/- 0.030884 secs
>> Note that it claims an accuracy much better than its actual performance.
>> Also note that this run shows my machine (which is not in the pool) to be
>> slow by some tens of milliseconds as indicated by the other members.  This
>> run was taken after my system had been locked onto; my pll
>> freq prior to that had been running a stable 23-25 ppm (depending on cpu
>> temp mainly) with estimated error below 20 ms.  It then locked onto one of
>> the other members but the pll freq was only at 9 ppm which indicates it was
>> considerably slower before, probably negative.  Unfortunately I don't have
>> the pll freq number while locked to
>> But this morning I again found my system locked onto and slow
>> relative to the other members by A WHOPPING 0.451 seconds!!.  At the same
>> time my pll freq was up to 75 which should have made it fast.
>> I can only conclude that is periodically going into some kind
>> of positive feedback oscillation.  My system had been running very stably
>> for many months until they appeared on the scene.
>> Please keep these guys out of the pool until they get it together as they
>> are very disruptive to anyone who tries to use them.
>> Yours,
>> Joseph Parmelee
>> Network Administrator
>> Wild Bear Systems
>> PS This machine does not appear in a reverse-dns and it
>> doesn't respond to pings or traceroutes (the others do).  Lacnic shows the
>> number registered to ICE Costa Rica, but that really tells as little; so is
>> my IP (, and it doesn't show in reverse-dns either.  The
>> reverse-dns is ICE's responsibility.  I can only affect the forward-dns
>> (bruno.wildbear.com).

Thanks for your reply.  It has the webpage I need.

Best regards,


More information about the security mailing list