Recent NTP pool traffic increase

Dan Drown dan-nanog at
Fri Dec 16 03:09:58 UTC 2016

Quoting Roland Dobbins <rdobbins at>:
> Do you have flow telemetry, which provides a lot more information  
> than basic pps/bps stats?

Sources are pretty widely spread out among cell networks/home  
internet, seem to be mostly US based.  I'm not seeing a large amount  
of traffic per single IP or single subnet.  This seems more like  
"someone pushed out bad firmware" rather than something malicious.

> Are you seeing normal timesync queries, or lots of level-6/level-7  
> admin command attempts?

SNTP Client timesync queries make up 91.3% of the traffic to my server.

The following NTP settings being most the popular (47% of all traffic  
to my server):

stratum=0, poll=4, precision=-6, root delay=1, root dispersion=1,  
reference timestamp=0, originator timestamp=0,
receive timestamp=0

More information about the NANOG mailing list