Nelson's log

NTP surveys

Way back in 1999 I did a survey of NTP. I spidered the whole Internet’s collection of NTP servers and published some statistics. From a desktop Linux box in my office at MIT, without permission, which raised a few eyebrows. But it was the 90s Internet and it was awesome.

These days NTP is much more widely deployed. It’s also been the cause of some security exploits and DDOS traffic, so I fear my kind of survey is much harder to do now. But I get requests about it occasionally, I think mostly from students. Here’s an email of answers I just sent today. Shodan’s view of NTP servers looks like an interesting place to start.

First of all,you use ntpq or ntpdc to do the query,is there any other method to do that now?

I mostly used ntpdc for access to the “monlist” command, which shows clients who are asking for the time (ie: downstream links). Both ntpq and ntpdc support “peers” to show where this particular server is asking for time (ie: upstream links). I also have used ntpdate to just query the time.

Secondly considering the Internet security,most of hosts are behind the firewalls,can the final result actually reflect to the true conditions?

Yes, you are right. It was a concern in 1999 when I did my survey and it’s only gotten much worse. I wonder now whether a survey like I did is even possible. There have been several high-profile security problems with NTP in the past few years, including an exploit in ntpd using monlist. Also NTP queries can be used for DDOS queries. The net result is that most servers are much more secure now and may not answer anything other than a basic “what time is it” query. Also I suspect a survey like mine would set off many alarms.

Finally,can I conduct the survey on a computer running Windows operating system?Can you give me some suggestions?

It should be possible on Windows, but I’m not sure how to do it. You want some way to make ~100 NTP requests simultaneously. It’s pretty easy since it’s just a UDP protocol, but I don’t know the best way to do that on Windows.
Two other things you should look into:
The NTP Pool is where most Internet clients get their time today. There’s about 4000 servers total and I’m sure there are plenty of opportunities to survey and research just those servers. The NTP pool developer community is friendly, you should talk to them before doing any significant survey work.
These days it is relatively easy to query every single IPv4 address in the world, all 4 billion of them. One site that does this regularly is Shodan. For example, here is their search result showing 835,000 NTP servers: