February 20, 2019

How to Not be a Shamefully Bad Time Server Abuser

Time Server Abuse is Silly and Unnecessary

  • November 10, 2008
  • By Carla Schroder
Carla Schroder

Today's network administration tip tells how to not be a shamefully bad time server abuser, but rather a good responsible netizen, and keep the correct time as well.

Shameful Acts of Time Server Abuse

Time server abuse is not the problem it once was, thanks to the good folks who set up the NTP (Network Time Protocol) pool. But it still happens, and it's silly, because it's so easy to do it the right way.

Time server abuse is any act that violates the access rules of an NTP server, or damages it. Most public NTP servers are set up as an act of generosity; nobody makes money from them. The worst form of time server abuse is pummeling the poor thing until the person running it gets surprised by a giant bandwidth bill, or it crashes, or performance degrades but it keeps limping along. Most abuse is not malicious, but clueless; either way the damage is done. The most common form of abuse is violating the server's access policies. These are not deep dark secrets, and never have been.

Time server abuse is not perpetrated just by inexperienced network administrators — the worst cases are from vendors of networking devices. One might think that big companies all full of engineers and other paid brainiacs would not commit such acts of stupidity. But it has happened a number of times. Netgear was the first famous NTP server abuser. In 2003 it released four routers that were hard-coded to use the University of Wisconsin's NTP server. The result was a distributed denial-of-service attack that continued to escalate, at one point reaching nearly 150 megabits per second.

Netgear released firmware updates and gave a big bag of money to the University of Wisconsin, but the problem persists to this day because most of the people who own the defective routers will never patch them.

SMC and D-Link committed the same blunder. D-Link's case was more noteworthy because when the problem was first brought to their attention, they responded with attack lawyers. As the story unfolded, it turned out that D-Link was violating the access policies of nearly 50 Stratum 1 servers. That's an impressive achievement.

So the very least that clueful network administrators who care more about being responsible netizens than unleashing attack lawyers can do is to configure their own NTP clients sanely. It's very easy. First install the ntp program, which includes ntpd, the NTP daemon. This runs all the time keeping the correct time on your computer. You don't need to touch a thing; it takes care of itself. Then make these entries in /etc/ntp.conf:

driftfile /var/lib/ntp/ntp.drift
server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org

Residents of regions other than North America can find their appropriate NTP pools at www.pool.ntp.org.

Most of the major Linux distributions configure ntpdate to run when a network interface comes up, and are sensibly configured to use either the distribution's own NTP servers or the NTP pool. For example, Fedora uses clock.redhat.com, and Ubuntu uses ntp.ubuntu.com. ntpdate does not run as a daemon. It is good for making instant time corrections, and corrections larger than 20 minutes. ntp will eventually correct a system that is far out of sync, but it will take hours or even days.

What if you are using a commercial router? First find out if it is one of the nasty offenders. Then fix it, or change it to use the NTP pool. If this is not configurable, replace with a good router.

Carla Schroder is the author of the Linux Cookbook and the Linux Networking Cookbook.

Article courtesy of Enterprise Networking Planet, originally published June 25, 2007

Most Popular LinuxPlanet Stories