NIST NTP servers

Sharon Goldberg goldbe at
Wed May 11 19:15:37 UTC 2016

Well, if you really want to learn about the NTP servers a target is using
you can always just sent them a regular NTP timing query (mode 3) and just
read off the IP address in the reference ID field of the response (mode 4).

Reference ID reveals the target that the client is sync'd to.

If you do this over and over as the client changes the servers it sync's
to, you learn all the servers.

Or if you are really keen you can use our "kiss-of-death" attack to learn
all the servers a client is willing to take time from. See sections V.B-V.C
of our paper.


On Wed, May 11, 2016 at 3:07 PM, Florian Weimer <fw at> wrote:

> * Chris Adams:
> > First, out of the box, if you use the public pool servers (default
> > config), you'll typically get 4 random (more or less) servers from the
> > pool.  There are a bunch, so Joe Random Hacker isn't going to have a
> > high chance of guessing the servers your system is using.
> A determined attacker will just run servers in the official pool.

Sharon Goldberg
Computer Science, Boston University

More information about the NANOG mailing list