Category Archives: NTP

Basic NTP Client Test on Windows: w32tm

When implementing NTP servers, it’s always an interesting part to check whether the server is “up and running” and reachable from the clients. While I’ve done many basic NTP checks out of Linux, I lacked a small docu to do this with Windows. It turned out that there’s no need for third-party software because Windows already includes a tool to test NTP connections: w32tm.

Continue reading Basic NTP Client Test on Windows: w32tm

Publishing IPv6 NTP Servers with DHCPv6

During the last weeks, I had an interesting request to publish NTP servers to client systems by using DHCPv6 in an IPv6 only network. Our Fortigate (or me?) had to learn how to publish the information. Hence this post is not only about NTP and IPv6, but a small guide on how to walk through RFCs and how to get out the relevant information. I’m very happy I got the possibility to share my experience here. Thank you, Johannes!

Continue reading Publishing IPv6 NTP Servers with DHCPv6

FortiGate bug: firewalls sending excessive requests to the NTP Pool

The NTP Pool is a volunteer organization that provides time synchronization service to hundreds of millions of computers worldwide. A typical client might query a particular NTP Pool server ~10-60 times/hour. Wikipedia lists some abusive clients that far exceeded the normal rate. This wastes NTP server resources, may interfere with other clients, and can trigger DDoS protections. In late 2019, a software update made some FortiGate firewalls very unfriendly to the NTP Pool.

Continue reading FortiGate bug: firewalls sending excessive requests to the NTP Pool

NTS Published as Standard

This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.


The Internet Engineering Task Force (IETF) published the Network Time Security protocol (NTS) as RFC 8915 on October 1, 2020. This new standard offers security mechanisms for the widely used Network Time Protocol v4 (NTPv4), which has been operated mostly unsecured until now. After almost eight years of development, global collaboration, and many interoperability tests of leading NTP software developers, NTS represents a mature security protocol. In this post, I’ll give you a short overview of the development progress of NTS and provide a list of public implementations and NTS secured time servers…

Continue reading NTS Published as Standard

NTP Filtering (Delay & Blockage) in the Internet

NTP (Network Time Protocol) messages are sometimes rate-limited or blocked entirely by Internet operators. This little-known “NTP filtering” was put into place several years ago in response to DDoS (Distributed Denial of Service) attacks. NTP filtering may drop NTP messages based on rate or message size. Let’s dig into it: Continue reading NTP Filtering (Delay & Blockage) in the Internet

UK IPv6 Council Spring 2020: Incorrect Working IPv6 Clients & Networks

I did a short presentation at the spring 2020 roundtable of the UK IPv6 Council. The talk was about a case study I did with my NTP server listed in the NTP Pool project: For 66 days I captured all NTP requests for IPv6 and legacy IP while analyzing the returning ICMPv6/ICMPv4 error messages. (A much longer period than my initial capture for 24 hours.) Following are my presentation slides along with the results.

Continue reading UK IPv6 Council Spring 2020: Incorrect Working IPv6 Clients & Networks

Stig Nygaard - Nighttime

Setting up NTS-Secured NTP with NTPsec

This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.


In the previous posts, I already introduced the Network Time Security (NTS) protocol and described the most important features. Although the specification process has not been completed, there are already some independent NTS implementations and public time servers (IETF106). NTPsec is one of the important representatives of this series and already offers an advanced NTS solution. In this post, I’ll give you a short guide to setting up an NTS-secured NTP client/server with NTPsec.

Continue reading Setting up NTS-Secured NTP with NTPsec

Network Time Security – Strengths & Weaknesses

This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.


The Network Time Security protocol (NTS) is close to completion as an Internet standard and will replace the existing security mechanisms in NTP. The introductory article on NTS describes the basic communication process as well as the most important features. Despite high-security efforts, NTS also has its limitations. In this blogpost, I list the strengths and weaknesses of the new authentication mechanism and describe them briefly.

Continue reading Network Time Security – Strengths & Weaknesses

Network Time Security – New NTP Authentication Mechanism

This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.


In many areas, the use of authentication mechanisms in NTP is important to prevent the manipulation of time information by an attacker. For many years, NTP has been offering solutions such as a Symmetric Key based method and the Autokey approach. However, both have serious disadvantages, for which reason they are rarely used to secure NTP connections. After years of development, a new standard is to be adopted in 2020 that solves the problems of the current mechanisms and offers a real alternative. First implementations of the so-called Network Time Security protocol (NTS) are already available and interoperate with each other …

Continue reading Network Time Security – New NTP Authentication Mechanism

Incorrect Working IPv6 NTP Clients/Networks

During my analysis of NTP and its traffic to my NTP servers listed in the NTP Pool Project I discovered many ICMP error messages coming back to my servers such as port unreachables, address unreachables, time exceeded or administratively prohibited. Strange. In summary, more than 3 % of IPv6-enabled NTP clients failed in getting answers from my servers. Let’s have a closer look:

Continue reading Incorrect Working IPv6 NTP Clients/Networks

NTP Server’s Delta Time

This is a guest blogpost by Jasper Bongertz. His own blog is at blog.packet-foo.com.


Running your own NTP server(s) is usually a good idea. Even better if you know that they’re working correctly and serve their answers efficiently and without a significant delay, even under load. This is how you can use Wireshark to analyze the NTP delta time for NTP servers:

Continue reading NTP Server’s Delta Time

Stats from Participating the NTP Pool Project

I am participating in the NTP Pool Project with at least one NTP server at a time. Of course, I am monitoring the count of NTP clients that are accessing my servers with some RRDtool graphs. ;) I was totally surprised that I got quite high peaks for a couple of minutes whenever one of the servers was in the DNS while the overall rate did grow really slowly. I am still not quite sure why this is the case.

For one month I also logged all source IP addresses to gain some more details about its usage. Let’s have a look at some stats:

Continue reading Stats from Participating the NTP Pool Project

Adding your NTP Server to the NTP Pool Project

Do you have a running NTP server with a static IP address? What about joining the NTP Pool project by adding your server to the pool? You will give something back to the Internet community and feel good about it. ;)

It doesn’t matter if you’re running a Raspberry Pi with GPS/DCF77 on your home, or a fully-featured NTP appliance such as the ones from Meinberg on your enterprise DMZ. Just a few clicks and your server will be used by the NTP Pool’s round-robin DNS. Here’s a simple tutorial:

Continue reading Adding your NTP Server to the NTP Pool Project