The NTP Pool Needs More Servers — Yours, If Available

Do you have a static IP or two? If so, you might be able to spread some Internet infrastructure well-being with very little effort. An anonymous reader writes "The NTP Pool project is turning 10 soon, and needs more servers to continue serving reasonably accurate time to anyone in the world."

I would but I just don't have the time...

//puts on sunglasses//

Re:I would but I just don't have the time...

[K.+S.+Kyosuke]

Obligatory: This is no time to argue about time. We don't have the time.

Re:I would but I just don't have the time...

That joke feels a little out of date.

Re:I would but I just don't have the time...

[fractalspace]

"Well, Mister La Forge... It would seem that time is what we have plenty of." - Picard, Stardate 46944.2

Do you need a clock?

[Hatta]

Are we talking about about stratum 1 servers here?

Re:Do you need a clock?

[GuruBuckaroo]

Nope. Anyone with a stable time server is encouraged to join. The operative word being "stable". It's more about providing something that will be reliably *there* when it's needed. The protocol itself will take care of accuracy.

Re:Do you need a clock?

Any idea how much bandwidth this would involve?

Re:Do you need a clock?

[GuruBuckaroo]

Minimal. NTP packets are about 128 bytes. Individual clients will (if up to spec) contact no more than every 64 seconds, but up to 17 minutes once synchronized (or longer if using SNTP). I'm in the pool and I never notice the traffic.

Re:Do you need a clock?

[mitgib]

Any idea how much bandwidth this would involve?

About 1kbit on average, so nothing really. I've provided a pool server for a couple of years now, you have to run ntpd anyway, might as well join it to the pool if it is not going anywhere (IPwise) any time soon.

Re:Do you need a clock?

[Shatrat]

I've got three Symmetricom Stratum 0 servers, but they're only visible on our private network. :( Can't flex my geek horsepower.

Re:Do you need a clock?

[bandy]

you have to run ntpd anyway

You'd be amazed at the number of machines that either aren't running it or are so mis-configured that they're not synchronized to anything.

Re:Do you need a clock?

[Matt_R]

virtualisation often has issues with timekeeping. I wouldn't run an NTP server on a VPS.

Re:Do you need a clock?

Until somebody hard codes your server into their commercial firmware and screws up the NTP implementation.

http://pages.cs.wisc.edu/~plonka/netgear-sntp/

Re:Do you need a clock?

[X0563511]

Almost nothing.

But your system's timing, being a VPS, isn't going to be stable enough to be useful as an NNTP server.

Re:Do you need a clock?

[AmiMoJo]

You can easily become a stratum 1 server, all you need is to connect an accurate time source to the server. GPS is popular but low frequency time signals like DCF77 and JJY work too.

What is NTP?

[cpu6502]

"The NTP pool is a dynamic collection of networked computers that volunteer to provide highly accurate time via the Network Time Protocol to clients worldwide." "Network Time Protocol (NTP) is a networking protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in use." - wikipedia.

Re:What is NTP?

[SJHillman]

What Wikipedia doesn't tell you is that Skynet had humble beginnings as a network clock...

Re:What is NTP?

[mitgib]

What Wikipedia doesn't tell you is that Skynet had humble beginnings as a network clock...

Bow to your Cyberdyn Overlords.

Re:What is NTP?

"The NTP pool is a dynamic collection of networked computers that volunteer to provide highly accurate time via the Network Time Protocol to clients worldwide." "Network Time Protocol (NTP) is a networking protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in use." - wikipedia.

Thanks for that informative post.

Also, anyone reading Slashdot who needed such a post, your geek card has been downgraded to "minion" level. Minion level cards do not get access to the second-floor gym or the breakroom, but can still use the reference library. Take advantage of it!

Re:What is NTP?

[0racle]

News for Nerds. Are you so pitiful you don't know how to use a web search engine?

Oh, excuse me,

A web search engine is designed to search for information on the World Wide Web. - wikipedia

Oh damn

The World Wide Web (abbreviated as WWW or W3,[2] commonly known as the Web, or the "Information Superhighway"), is a system of interlinked hypertext documents accessed via the Internet. - wikipedia

OH GOD DAMNIT

An information system (IS)[1] - is any combination of information technology and people's activities that support operations, management and decision making. -wikipedia

You know what, look it up your damn self.

Re:What is NTP?

[Mr.+Slippery]

NTP could mean anything. It could be "Novell transfer protocol"...

In the same sense that HTTP could be "Highly Technical TARDIS Protocol", yes. But anyone who needs HTTP expanded is a n00b (no offense, we were all n00bs once);it's a universally-used protocol.

NTP is also a universally-used protocol. Every server (every properly-managed server, at least) uses it, and many if not most PCs use it.

OTOH, the number one meaning for "LSEQ" seems to be "Leeds Sleep Evaluation Questionnaire", according to the duck. Not universal.

If you not only don't know what NTP is, but after looking it up think it's mysterious to the average /.er, you deserve a little teasing. ;-)

Re:What is NTP?

[tlhIngan]

Also, anyone reading Slashdot who needed such a post, your geek card has been downgraded to "minion" level. Minion level cards do not get access to the second-floor gym or the breakroom, but can still use the reference library. Take advantage of it!

I think it should be turned in.

The summary even stated what it was about - "providing reasonably accurate time". Sure it's not a full technical description, but it's a good quick summary of the project and what NTP is. If you want more, look it up. If not, you know it's not something you're interested in.

Better than that Opa summary.

Re:What is NTP?

[hairyfeet]

Not to mention NTP is fricking 27 years old now and is one of the oldest Internet protocols still in use. And it isn't just servers that use it, i can't even count the number of times I've had to make sure Windows boxes were checking into NTP regularly because this software or that software wouldn't play nice, hell even Win2K and WinXP would refuse to use WU if the clocks were off by too much.

So unlike the previous article on Opa, which came up with 5 other terms using that including a Greek song ntp takes all of one second and the first answer is what it is. This is one case where I really don't think the wiki entry was required and if it was please hand in your geek card as well as your minion card and please wear the 'I'm a noob LOL!" button on your shirt for the next 6 months so nobody asks you a damned thing, kthxbye.

Re:What is NTP?

[cffrost]

Minion level cards do not get access to the second-floor gym or the breakroom, but can still use the reference library. Take advantage of it!

If you think I'm going to climb a flight of stairs to get to a gymnasium, you're out of your damn mind.

Re:What is NTP?

[SoCalChris]

"Fuck" is an English word that is almost universally considered vulgar by its speakers. In its most literal meaning, it refers to the act of sexual intercourse. By extension it may be used to negatively characterize anything that can be dismissed, disdained, defiled, or destroyed and may also be used as an intensive.

"Fuck" can often be used as a verb, adverb, adjective, imperative, interjection, and noun. It has various metaphorical meanings. To be "fucked" can mean to be cheated (e.g., "I got fucked by a scam artist"), or to be broken or ruined (e.g., "my computer is fucked") as well as to be sexually penetrated. As a noun, "a fuck" or "a fucker" may describe a contemptible person. "A fuck" may mean an act of copulation. The word can be used as an interjection, and its participle is sometimes used as a strong (not necessarily negative) emphatic. The verb to fuck may be used transitively or intransitively, and it appears in compounds, including fuck off, fuck you, fuck up, and fuck with. In less explicit usages (but still regarded as vulgar), fuck or fuck with can mean to mess around, or to deal with unfairly or harshly. In a phrase such as "don't give a fuck", the word is the equivalent of "damn", in the sense of something having little value. In "what the fuck?!", it serves merely as an intensive. If something is very abnormal or annoying, "this is fucked up!" may be used.

-Wikipedia

Re:What is NTP?

[Anne+Thwacks]

I refuse to participate in a "No to Pizzas" campaign. Furthermore, I want Sardines on my Pizza: My grandmother always used to say "a pizza with no Sardines on it is like - a pizza without sardines". Vote Sardinista

Re:What is NTP?

[fuzzywig]

Windows clients can't even logon to an Active Directory Domain if their clocks are out by more than five minutes (from the Domain time). This is a problem if your clients are so damn old that their battery backup on the motherboard has run down, and you don't have the budget to replace them :(

Re:What is NTP?

[hairyfeet]

The way I got around that was using Task manager to call AtomicTime with the correct on launch checked. the program only takes around 50k memory, works on any machine from Win95- Win 7 X64 (admin required for Vista/7 of course) and takes less than 10 seconds all told to do its job, and its free. if you have some machines that for one reason or another lose time (such as cheap bastards not paying for new batteries) just set up AtomicTime to run on boot and it'll set the time perfectly every time. I had mine set to use the 3 closest servers and since i had it on my thumbstick on my keyring it was as simple as dragging it off and 3 minutes in Task manager, couldn't be easier friend.

No Gov. help?

This seems like something that almost every country and government in the world, could thrown down a couple hundred dollars a year for. 3rd world, and war-torn countries need not apply for obvious reasons....

In the US, is NIST involved in this at all? If not, why not? Just seems like something that they'd be all over.

Re:No Gov. help?

[SJHillman]

http://tf.nist.gov/tf-cgi/servers.cgi

Step 1: Open Browser
Step 2: Put "nist ntp" in browser/search bar
Step 3: Click Enter
Step 4: Click on first link
Step 5: Copy link to Slashdot
Step 6: Use the remaining 8 seconds of your 10 second break to highlight what steps you took to get that link

Re:No Gov. help?

[GuruBuckaroo]

(ahem) I believe the OP was asking if the NIST time servers were part of the pool.ntp.org group. Which that page doesn't answer. So, thanks for playing, and enjoy the home version.

Re:No Gov. help?

[Kohenkatz]

The OP was asking if the NIST time servers were part of the pool.ntp.org group.

They aren't. However, NIST does have Stratum 1 Servers.

Re:No Gov. help?

[ask]

As others pointed out, NIST operates a set of high quality clocks available via NTP, too. Last I talked to someone there and tried to estimate the pool.ntp.org usage the two systems got a comparable number of requests.

There are different tradeoffs to using NISTs servers and using pool.ntp.org.

More than just a static IP

[MetalliQaZ]

Anyone considering this should carefully read the NTP pool's page on the matter. In addition to having a static IP, you need to have fairly good availability over a long period of time, and more importantly you need to be able to handle a lot of traffic. Even though the traffic is fairly low most of the time, you could experience spikes that would be difficult to handle for small businesses or amateurs. Also, anyone with metered bandwidth on their server/colo would almost certainly be unable to handle the cost.

The NTP pool is something that you have to consider carefully. You can't help out for 18 months and then decide to quit. You can expect to receive traffic for up to YEARS after you leave the pool.

-d

Re:More than just a static IP

[ShaunC]

Yeah, you really oughtn't try to volunteer your DSL connection. If you have a dedicated server somewhere, though, it's pretty simple to configure ntpd and register yourself as part of the pool. I've been doing my part for a few years (whoops - I rebooted yesterday). The traffic really is negligible and the load is practically nil. If you've got the resources, help the cause!

Re:More than just a static IP

[kwark]

I've seen spikes in traffic coming from eastern european countries and Turkey a couple of years ago. Using the recent iptables module I limit traffic to ntp:
iptables -A INPUT -i eth0 -p udp --dport 123 -m recent --name ntp --set
iptables -A INPUT -m recent --name ntp --update --seconds 30 --hitcount 6 -j DROP
And the abuse eventually stopped.

Why not use EC2?

[paulschreiber]

Can Google/Apple/Amazon not just throw some money at this?

Re:Why not use EC2?

[TooMuchToDo]

Virtual machines cannot be used for NTP:

http://support.ntp.org/bin/view/Support/KnownOsIssues#Section_9.2.2.

NTP was not designed to run inside of a virtual machine. It requires a high resolution system clock, with response times to clock interrupts that are serviced with a high level of accuracy. No known virtual machine is capable of meeting these requirements.
Run NTP on the base OS of the machine, and then have your various guest OSes take advantage of the good clock that is created on the system. Even that may not be enough, as there may be additional tools or kernel options that you need to enable so that virtual machine clients can adequately synchronize their virtual clocks to the physical system clock.

Re:Why not use EC2?

I think he means why doesn't Google or Amazon run their own NTP servers which they contribute to the pool. Google already has a public DNS system. Having a public NTP system that is part of the NTP pool would also be helpful. The network traffic would be a drop in the bucket for them. Meanwhile, they already have servers in locations that need more NTP pool support, such as South East Asia and Latin America.

Re:Why not use EC2?

[Kohenkatz]

In theory, Microsoft runs NTP at time.windows.com. In practice, it seems very flaky. Search for it and you'll find countless forum posts about outages.

Re:Why not use EC2?

[Fnordulicious]

Can Google/Apple/Amazon not just throw some money at this?

Apple already has a few configured by default in Mac OS X: time.apple.com, time.asia.apple.com, time.euro.apple.com

$ ntpdate -q time.apple.com
server 17.151.16.23, stratum 2, offset -0.002298, delay 0.04951
server 17.171.4.13, stratum 2, offset -0.003922, delay 0.09973
server 17.171.4.14, stratum 2, offset -0.003779, delay 0.09933
server 17.171.4.15, stratum 2, offset -0.004068, delay 0.09940
server 17.171.4.21, stratum 0, offset 0.000000, delay 0.00000
server 17.171.4.22, stratum 2, offset -0.010687, delay 0.11308
server 17.171.4.23, stratum 2, offset -0.006814, delay 0.10687
server 17.171.4.24, stratum 0, offset 0.000000, delay 0.00000
server 17.151.16.12, stratum 2, offset -0.002686, delay 0.04926
server 17.151.16.14, stratum 2, offset -0.002507, delay 0.04927
server 17.151.16.20, stratum 2, offset -0.002333, delay 0.04941
server 17.151.16.21, stratum 2, offset -0.002317, delay 0.04892
server 17.151.16.22, stratum 2, offset -0.002512, delay 0.04955
server 17.151.16.38, stratum 2, offset -0.002454, delay 0.04890

$ ntpdate -q time.asia.apple.com
server 17.82.253.7, stratum 2, offset 0.003790, delay 0.25430
server 17.83.253.7, stratum 2, offset -0.000764, delay 0.15932

$ ntpdate -q time.euro.apple.com
server 17.72.255.12, stratum 2, offset -0.006641, delay 0.20169
server 17.72.255.11, stratum 2, offset -0.006988, delay 0.20267

So it looks like they’ve got a reasonable handful in the pool. Dunno about Google or Amazon because googling didn’t turn up anything immediately obvious.

Re:How do we help ???

[Dog-Cow]

It is easy and they do provide documentation. I added my server and it took about 10 minutes. Stop being a lazy shit.

$25 Raspberry Pi + $27 GPS reciever?

[bill_mcgonigle]

Some quick searching shows one can get a USB GPS receiver for $27 and the comments say it works with linux/gpsd, showing up as /dev/ttyUSB0.

Somebody could make a simple OS image that would narrow the scope of the problem to the availability of ~$60 and an available public IP address.

In the mean time....

[Xtifr]

I've always wondered about the defaults to have every RH/Debian/Suse/Ubuntu/etc. box talk directly to the pool. I know that for years, the pool has been considered fully sufficient to meet these needs, but it just always struck me as more efficient for an organization to run its own NTP server--one machine talking to the pool--and have other machines in the organization talk to that, rather than having all the machines in the organization talk to the pool.

For home use, I actually use ntpupdate in a once-a-day cron job, rather than having a full ntpd talking to the pool all day long. It was a little more work to set up (which is also something I wish could be addressed), but combined with automatic drift correction, it seems more than adequate for my needs.

Not that I want to discourage people from contributing to the pool! That's a great idea. I just think it might also be beneficial if people learned to be less abusive of the pool, and if distro makers made it easier to not abuse the pool.

Re:In the mean time....

[fuzzyfuzzyfungus]

The 'default' is what it is because it is the setting that provides the best chance of working right out of the box. Hitting a known public NTP source qualifies as a pretty sane default.

Now, if you are going to be running a bunch of systems, it certainly is polite, as well as efficient, to run your own NTP server for your internal systems, just as you likely run your own DNS server for them. However, that isn't really something you can sensibly set as the default; because every organization's internal server will have a different address and smaller sites/single users/laptops frequently off the LAN simply won't have one.

Not all that dissimilar from the fact that most distro's package managers default to pointing directly to the public package mirrors. That is obviously nuts from the perspective of anybody running more than a few machines, you'll waste enormous amounts of time and bandwidth if you aren't caching packages and updates; but your default can't really assume the existence of a local cache...

Re:In the mean time....

[Xtifr]

Yeah, I kinda get that. Still, it seems like it's harder than it ought to be to use something other than the default. When I set up a system, it generally asks me what I want to use for DNS, but never asks what I want to use for NTP.

Package pools, I think, are slightly different, since they're distro-specific and take a lot of space, and even a moderate-sized organization may be unwilling to host their own mirrors for all the distros they use internally. Still, I certainly wouldn't object to the distros making it little easier to do so for companies that want to.

Re:In the mean time....

[csnydermvpsoft]

Many/most distros will use the NTP servers provided via DHCP (if configured) instead of the built-in defaults. I know this is true for Ubuntu, at least — not sure if their dhclient/ntpd configuration is nonstandard or not (knowing Ubuntu, there's a high likelihood that it is).

Re:In the mean time....

[heypete]

I've always wondered about the defaults to have every RH/Debian/Suse/Ubuntu/etc. box talk directly to the pool. I know that for years, the pool has been considered fully sufficient to meet these needs, but it just always struck me as more efficient for an organization to run its own NTP server--one machine talking to the pool--and have other machines in the organization talk to that, rather than having all the machines in the organization talk to the pool.

They actually talk to a "vendor" subdomain of the pool: 0.rhel.pool.ntp.org, 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, etc.

They provide vendor-specific subdomains and encourage vendors to provide NTP servers to the pool. Thus, if there's some abuse or misconfiguration that results in excessive traffic they can change the vendor-specific subdomain to prevent that traffic from flooding NTP servers without inconveniencing clients that use the general pool.

Anyway, yes: it's better for an organization to have one or two local time servers communicate with the pool (or other sources of time) and then provide time service to the local network. Still, talking to the pool is a reasonably sane "general purpose" default.

Re:In the mean time....

[fuzzywig]

Shockingly (to some), Microsoft actually use this good idea. In an AD domain, the domain controller(s) is/are the time source for all client computers, and should be then configured to check their own time against a reliable source. I use the uk.pool.ntp.org servers myself.

Re:In the mean time....

[Just+Some+Guy]

That's not a very good idea, in my opinion. Our alternative is to run an NTP server on a lot of internal machines and point each client to a random subset of those - in essence, creating our own NTP pool. Each of those internal servers is an independent source, so if one of them goes astray, clients can automatically start ignoring it. If you only have a single machine providing time, your entire organization is dependent on the whims of a single hardware clock.

Re:In the mean time....

[Just+Some+Guy]

For home use, I actually use ntpupdate in a once-a-day cron job, rather than having a full ntpd talking to the pool all day long. It was a little more work to set up (which is also something I wish could be addressed), but combined with automatic drift correction, it seems more than adequate for my needs.

That's not a good approach. ntpd handles a lot of edge cases - what if your drift isn't constant? what if some of your time sources turn out to be flaky? - and generally only checks the upstream clocks often enough to verify that it's still running correctly. It would be really hard to build that much functionality into a home-rolled solution, and given that it's harder to do it your way than to just run ntpd in the first place, why not?

Re:In the mean time....

[fuzzyfuzzyfungus]

There are certainly exceptions; but most AD scenarios care about time mostly because Kerberos gets touchy if you attempt authentication between machines with excessive clock skew and users get touchy if they can't trust their system clocks to roughly match their email timestamps, their cellphones, and their boss's clock.

If one actually does require great accuracy, there are different considerations; but mediocre accuracy and good consistency is usually what people actually need....

Re:In the mean time....

[Xtifr]

I just used the script expressly provided for the purpose, and followed the clear instructions that came with it. If you think the script is so horrible, feel free to file a bug report and see if the maintainer agrees. As for why I don't want yet another silly daemon running, well, it's because I don't want yet another silly daemon running. Call it personal taste if you will, but it's been working well enough to meet my needs for over a decade now (I"ve replaced all the hardware, but it's been the same logical system throughout).

errr... $35 Raspberry Pi + $27 GPS reciever

[bill_mcgonigle]

needs the Model B, of course.

Re:$25 Raspberry Pi + $27 GPS reciever?

[MyFirstNameIsPaul]

Perhaps you could also point out a source for a Raspberry Pi.

Woo-hoo! First post!

[PPH]

They can use my system if they don't mind pretty crappy latency.

Re:Woo-hoo! First post!

[Just+Some+Guy]

They don't, as long as it's consistently crappy. If tests can establish that you always have a delay of 1000.000ms, your machine is a better time source than another that has 100 += 99 ms.

Re:Woo-hoo! First post!

[vnaughtdeltat]

100 += 99

slashdot.c: In function 'comment':
slashdot.c:1: error: lvalue required as left operand of assignment

US Navy Master Clock

[cffrost]

These three are the US master clock's stratum-1 servers. They most likely will not run out of bandwidth. The last one isn't (intended) for civilian users, so don't come to me if an aircraft carrier, F/A-18 Hornet, etc. smashes through your front door.

tick.usno.navy.mil
tock.usno.navy.mil
ntp.usno.navy.mil

More information.

Re:US Navy Master Clock

[Just+Some+Guy]

These three are the US master clock's stratum-1 servers. They most likely will not run out of bandwidth.

Don't do that, though; it's anti-social. The NTP ecosystem is much better off scaling horizontally than vertically.

Re:US Navy Master Clock

[Just+Some+Guy]

That is a perfectly reasonable use. Basically, you're configuring a few internal machines to serve as proxies for the rest. And from an operations standpoint, you're providing a (likely) much more stable clock source that's not at the whims of your upstream network.

No data behind the claim

[Gothmolly]

Without metrics, this is just "Please sir, may I have some more?"
How about telling us how many servers are there, what their utilization is, client load, etc?

Re:No data behind the claim

[negge]

You took the time to post here but didn't take the time to RTFA, which by the way would have provided answers to all your questions?

Okay, NOW I'm confused

[RulerOf]

"no to pizza"

Why would you make up an acronym for a concept that doesn't exist for words that cannot be spoken?

I don't see the psu.edu ones listed

[rrossman2]

They can be read up on here:
http://tns.its.psu.edu/networking/timeReference.cfm

Getting Big ISPs involved

[billstewart]

It would make more sense for ISPs to be providing NTP service, since the shortest routes have to go through their peering points or other gateways anyway. Has the NTP Pool been trying to bring them in?

Re:Getting Big ISPs involved

[ask]

Depending on how you count "the NTP Pool" is either just me or it's all of us, hint hint. :-)

Re:How about static DNS name vs static IP address?

Because their load balancing shouldn't have to resolve your IP every time they send someone to your server. Tends to fuck up the accuracy of the, you know, time... Also, your connection is not reliable enough based on your comment. This is not folding at home, SETI at home, etc. They don't want people like you fucking things up.

Re:How about static DNS name vs static IP address?

[profplump]

The NTP protocol doesn't support changing IPs -- there's a long-term relationship among hosts in an NTP group. Servers like yours that hop on and off the network are only useful for single-sync applications and therefore are not suitable for inclusion in an NTP pool.

Don't volunteer on broadband...

[jg]

Since all broadband connections have bufferbloat (to some degree or other), in all technologies (fiber, DSL and cable alike), it isn't a good idea to volunteer to run an NTP server on such a connection, even if it is/has been reliable. Bufferbloat will induce transient bad timing into your time service; even more fun, in often a asymmetric way, pretty much any time you do anything over that link.
                                                                    - Jim

Re:Don't volunteer on broadband...

[profplump]

While high-precision public servers are nice, most applications for NTP aren't sensitive to the amount of jitter introduced by consumer-grade endpoint (which I'd characterize as almost never exceeding 100ms, and often below 50ms). If you have an application where that much jitter in your NTP sync is an issue you need a local NTP server anyway, and quite possibly a local time source.

Re:How about static DNS name vs static IP address?

[PhotoJim]

Many ISPs will give you a static IP for a reasonable monthly charge.

Some do it by default, like mine.

Too many idiots are pissing in the pool.

[jcochran]

I used to have a computer in the pool, but removed it due to disgust with the NTP abusers out there. When I looked at the logs, I would see that the vast majority of incoming traffic was from a relatively small handful of IP address. For normal well behaved users, you would see them hit you every 64 seconds and over a period of a few hours slowly back off until they do a query only once every 1024 seconds. Reasonable and well behaved. Even a relatively low bandwidth DSL line could handle a lot of users like that.

Unfortunately, not all the users are reasonable and well behaved. There were a few addresses that were hitting me with a query per second. And you can't blacklist these anti-social idiots because if you do, they're still consuming inbound bandwidth. After a period of time where 1% of the users were consuming 99% of my donated resources, I left the pool out of disgust. Was still getting hits from the idiot users a year later.

To make their idiocy even more evident, the SHORTEST interval that NTPD will hit a server is once per 16 seconds. So those once a second idiots were using software that itself was written by idiots.

Would I donate to the pool again? Nope. Not at long as there are invalid NTP clients that hit that often. If I could be assured that the idiots are gone, then I'd donate. Until then, I don't need the headaches.

Re:Too many idiots are pissing in the pool.

[TheSpoom]

Could you have emailed their ISP's abuse department?

Re:Too many idiots are pissing in the pool.

[primus1024]

Could that be a bunch of computers behind NAT using the same external IP or you think those users were genuinely malicious?

Re:Too many idiots are pissing in the pool.

[profplump]

I've got one better -- I actually had a pool user call my ISP and get me disconnected (temporarily) because I was "hacking" them on UDP port 123.

Re:Too many idiots are pissing in the pool.

[sys_mast]

Any chance it could have been valid clients, but through NAT looks like one client with an excessive amount of hits/min? Of course a reasonable person should have one NTP client hit the pool, and sync all the rest of the clients to the local. I guess i'd be surprised if it was a poorly coded client, does anyone use anything besides the default NTPD?

Re:Too many idiots are pissing in the pool.

[Meostro]

To make their idiocy even more evident, the SHORTEST interval that NTPD will hit a server is once per 16 seconds. So those once a second idiots were using software that itself was written by idiots.

So you don't think this was 1 NATted IP running 16+ servers behind it? As someone said above the default for some OSes is to hit the pool directly.

Re:Too many idiots are pissing in the pool.

[profplump]

Probably not malicious -- probably just using bad software, or putting in ridiculous settings because they don't understand how NTP works.

Re:Too many idiots are pissing in the pool.

[I'm+just+joshin]

Okay, that's funny! And a worthy post to respond to to remove an inadvertent mod.

Re:Too many idiots are pissing in the pool.

[ask]

Being able to leave, as you did, is part of the point of the pool system. With the static lists of DNS names and IPs, there wasn't a good way to stop providing service again.

It is frustrating with the abusers, but getting that fixed is a parallel problem to providing service. With the pool at least we can spread the abuse out over thousands of servers rather than having a handful of hardcoded servers getting all of it.

Ask

Re:Too many idiots are pissing in the pool.

[AmiMoJo]

I'd just start randomly drifting their clocks, see how far off you can get them before they notice.

Re:Too many idiots are pissing in the pool.

[don.g]

You want them to stop? Don't randomly drift; return a stupid time like now minus a year (so nice and stable, just wrong). That's easy enough with a second NTP server and DNAT.

Re:Too many idiots are pissing in the pool.

[petermgreen]

I'd expect a load of computers behind NAT to create a big traffic storm if they were all rebooted at once but it would then subside as the computers backed off to. Also the traffic would likely be relatively irregular.

A regular request every second sounds like a mark of a client developed by someone who either didn't understand how NTP was supposed to work or didn't care about the load they were putting on donators

Re:Too many idiots are pissing in the pool.

[jafo]

This is similar to the reason I ended up leaving the pool 7 years ago... The week I left the pool I had two different people call me telling me that one of my machines was hacked because it was attacking their network. "Hmm, what port are you seeing the attacks on?" "123." "You know what 123 is, right? NTP... Those packets your intrusion detection system is complaining about are in response to packets you sent that server."

It was actually the guy that hung up on me while I was telling him that his machines were causing this, that caused me to leave the pool. I'm sorry, but I just can't be providing individual phone support to everyone who uses the NTP pool, that's kind of how I was feeling...

I haven't been in the pool for 7 years, and I'm still getting around 8,000 packets per second on NTP, around a megabit per second. There's one DSL line in Italy that sends an average of 15 packets/sec.

Here's a blog post I wrote in relation to this: http://www.tummy.com/journals/entries/jafo_20050412_123522

Sean

Re:Too many idiots are pissing in the pool.

[buglista]

ooh, me too! i had a complaint to abuse@university.nz along similar lines.

We were stratum 2 for New Zealand. They had somehow configured their crappy Windows box to be stratum 1, and then wondered why they got a whole load of queries. Feckin eejits.

Re:Too many idiots are pissing in the pool.

[Just+Some+Guy]

Unfortunately, not all the users are reasonable and well behaved. There were a few addresses that were hitting me with a query per second. And you can't blacklist these anti-social idiots because if you do, they're still consuming inbound bandwidth.

I feel your pain, and it is (or at least was) made worse by ntpd itself. I tried to get limiting working a few years ago, but in the end my server kept answering requests from even the most abusive clients. This peeved me greatly. When I've flagged a client as bad, stop talking to them.

I still wanted to help out with the pool, though. I ended up adding a few dummynet pipes with random delays from 0 to 30 seconds and various probabilities of being used, and maintained a manual blacklist of abusive clients who got their answers redirected back through those randomly delayed pipes. That actually seemed to work; those clients noticed that my clock was between 0 and 30 seconds off at any given time and eventually stopped asking.

I don't recommend that approach as it was fairly labor intensive, but I did enjoy my BOFH moment in the sun.

Re:$25 Raspberry Pi + $27 GPS reciever?

[kwark]

An USB GPS means no Pulse Per Second (actually 1000ms). The PPS fires an interrupt on the serial port, which should result in an interrupt every 1000ms accurate within 100us.

The lack of PPS will result in a ntpd with lots of jitter, my experience is about +/- 150ms but this depends heavily on actual USB usage and the GPS device itself. This is unsuitable for a low stratum ntpserver IMHO, so don't use it as the only timesource if you want to participate in the pool unless you advertise it as some high stratum source (I would guess 5-10).

Re:$25 Raspberry Pi + $27 GPS reciever?

[NevarMore]

So how do I get the GPS receiver to get a time signal in my basement or datacenter?

Re:Guess What?

[profplump]

NTP requires long-term relationships among the hosts in the peer/server group. As implemented that means static IPs, but even if you changed the system to do repeated DNS lookups the NTP pool couldn't use hostnames -- the DNS-based pooling currently in use does not include any mechanism to distribute hostnames, nor do most NTP clients provide any method to easily consume such data even if it were available.

Re:$25 Raspberry Pi + $27 GPS reciever?

[heypete]

Serial. USB has variable latency.

I use this receiver, which is quite reasonably priced. The wiring diagram at this site makes it quite easy to assemble.

Rather than driving the PPS LED directly from the PPS line, I used an NPN transistor to switch the LED on and off with each pulse. The transistor draws a negligible current from the PPS line.

I got the whole setup wired in less than an hour. Works quite well.

Geographic distribution

[tepples]

As I understand it, an NTP server closer to you on the Internet will provide more accurate time. Fewer hops away generally means a shorter ping and less jitter. Adding more servers in underserved countries adds more servers closer to users in those countries.

NTP Pool = Socialism

Real Americans pay for the time and don't rely on handouts.

Re:$25 Raspberry Pi + $27 GPS reciever?

[bill_mcgonigle]

Serial. USB has variable latency.

What's the cause of the variability of the USB latency? Does it apply on a dedicated bus?

This testing makes it look fairly stable.

Re:NTP server VM image, or minimal NTP server conf

[A+bsd+fool]

You don't run an NTP server in a VM. NTP servers need realtime (or as close as possible on a non-RTOS) access to the clock and network, and no matter much you jack up the priority of your NTP server VM, it's not going to be stable enough for anyone to bother using it. This is why e.g. VMWare ESX run an internal ntp daemon that the VMs can sync to, which itself syncs to the ntp pool.

Re:$25 Raspberry Pi + $27 GPS reciever?

[ask]

Yes, if a USB receiver makes it accurate enough for the monitoring system then it's fine. (Though the monitoring system has been tuned to be stricter and stricter over the years).

However: if the USB receiver has more "jitter" than the other internet servers you'd be syncing from as backup, then there's not much point in having it.

Re:$25 Raspberry Pi + $27 GPS reciever?

[ask]

A long cable. :-) Depending on the equipment you can have cables several hundred feet long.

An (expensive) way is to use a CDMA receiver. The CDMA protocol needs accurate timing, so it's included in those signals. It's not as accurate as GPS, but it can work in places with no "sky view" access.

Re:Guess What?

[ask]

Maybe I'll do that in the future if we setup a separate DNS name for SNTP clients. For "ntpd" it's not currently practical. The ntpd developers are working on some new features that might make occasionally changing IPs work better with it, but it'll be a long time before they're widely deployed.

Re:$25 Raspberry Pi + $27 GPS reciever?

[X0563511]

Something like this, with a proper run down to the receiver. With a RF Amplifier if needed.

Re:NTP server VM image, or minimal NTP server conf

[ask]

I actually have made that (running FreeBSD/NanoBSD), but it still costs $300-$400 or so -- seems like too much for a hobby when just running ntpd on some linux box you already have is almost as good. Maybe for people who have a static IP but no server running 24/7? Seems like a small group...

A small computer with the appropriate serial port (Soekris box, for example - $200 - $250 with power supply and small compact flash) plus Garmin 18lvc with the appropriate cabling (~$100). Then you still also need an (extra?) static IP address and space near a window (as you said). Doesn't seem like a big market!

Re:$25 Raspberry Pi + $27 GPS reciever?

[AmiMoJo]

The only down-side to USB GPS devices is that they don't have accurate 1PPS signals. A serial GPS can send the 1PPS signal to the DTR line where the computer can detect it for sub microsecond accuracy. Unfortunately serial ports are getting more and more uncommon, and use annoying +/-12V signalling.

Re:$25 Raspberry Pi + $27 GPS reciever?

[heypete]

USB has the controller poll devices. Even on a dedicated bus there's a degree of uncertainty from the polling. Also, relying on NMEA data adds even more uncertainty, as there's no assurance that sentences are delivered in the right order or at timing more precise than one second.

My GPS triggers a serial interrupt when the PPS line goes high. The PPS line is within 1uS of UTC. After an hour or two to settle, NTP holds the time within +/-15uS.

Sure, one second precision is probably "good enough" for normal uses, but one can get more consistent time from most public servers. Providing one second precision time as a public time server is a bad idea, as NTP expects more consistent ticks and this will confuse other clients.

Running a serial GPS+NTP clock is pretty easy and provides much more stable time. Why bother with a USB GPS receiver when a more suitable serial+PPS capable one is available for only slightly more?

Re:$25 Raspberry Pi + $27 GPS reciever?

[bill_mcgonigle]

An USB GPS means no Pulse Per Second

Hrmmm .... good point - looks like it is available in a few devices.

esr says he can get 1ms on USB with the Macx-1 device. What accuracy is required for each stratum? The bufferbloat people are using that device for their latency measuring project.

Re:NTP server VM image, or minimal NTP server conf

[NevarMore]

If "low power" wasn't a requirement you could do it for almost free. Old PCs are tossed every day that would run NTPd just fine. Problem is the damn thing would sit there humming away eating power.

Re:$25 Raspberry Pi + $27 GPS reciever?

[Barsteward]

my server doesn't need to know where its going, its stationary.

Re:$25 Raspberry Pi + $27 GPS reciever?

[heypete]

As I mentioned previously, after a few hours to settle NTP can match time to my GPS clock (which provides PPS output and NMEA sentences over serial) with a jitter of 15 microseconds on Linux (Ubuntu Server 10.04).

Using only the NMEA sentences over serial without PPS, jitter increases to ~250 milliseconds, roughly 16,000x more. Sure, it's "only" a quarter second, but still. It might be good enough for internal use but I wouldn't provide a public time server with a USB GPS clock.

Since USB receivers don't provide PPS output and the USB controller polls devices at intervals (rather than responding to serial interrupts), there's no way for a USB receiver to come close to the precision of a PPS-based serial connection.

Re:$25 Raspberry Pi + $27 GPS reciever?

[Bob+the+Super+Hamste]

I will have to check that out. I have an older machine that sits powered off but I would have no problem re-purposing it for this. I have a static IP on a business class line at home that sits unused most of the time. I didn't know there were cheaper devices than the big Symmetricom devices. Also how weather proof is that puck as the location of the computer I would attach it to would allow it to be put up on a south facing roof for better signal reception.

Re:Good luck with that

[ledow]

I don't think they WANT people with home connections. They're more interested in people who run their own servers in a remote datacenter or even VPS servers. They need always-on, not "on whenever the user isn't on holiday".

And on that basis, I don't know of a VPS provider that *doesn't* just provide 100's or even 1000's of GB's of traffic to each user.

My current host has a limit of 1TB of data per month, for example, and costs less than £20 a month. And that's not even a particularly cheap example.

Some routers can be NTP servers

[thogard]

You should set up a local router for your local machines to use as an NTP server and tell your DHCP to tell your hosts which NTP server to use. Just watch out when the router reboots since it may have no idea what time it is.

5 years ago I wrote a script that does a traceroute and then finds out of the hosts support NTP.
Its the bottom of my text on NTP Info page