networking - Questionable NTP Traffic at Firewall?
2014-07
noloader
I checked my firewall logs and noticed odd traffic patterns for NTP or UDP/123 (shown below). I don't understand the round robin'ing that's occurring from my hosts. And I don't understand why its happening on multiple hosts.
When I configure time, I usually use Apple default, Microsoft default, Fedora default, Ubuntu default, etc. If I configure, then I use NIST's servers.
First question: is anyone familiar with the behavior shown below? Perhaps it is a common library sampling in an effort to find the closest NTP server with the lowest latency?
Second question: does m0n0wall allow me to rewrite traffic such that I can redirect all NTP requests to time-c.nist.gov and time-d.nist.gov? I don't want to drop the traffic outright; but sending it to a known good host would make me feel better.
noloader
Those look like pool.ntp.org servers. These are the default servers for Fedora and Ubuntu. They have a vendor namespaces program so Fedora uses 0.fedora.pool.ntp.org and Ubuntu uses 0.fedora.pool.ntp.org. In order for servers to be listed in the pool they have to serve accurate time. So there really is no need to change the settings and it helps take the load off the NIST servers.
Martin Liversage
The clock in my computer is configured to be synchronized using NTP. To verify this I have tried two NTP clients using various NTP servers. My computer and the NTP clients are in complete agreement about the current time even across a wide range of NTP servers.
I also have a GPS and my national phone company provides an accurate clock available by calling a specific phone number. Both my GPS and the phone company agrees on the current time. However, my computer is almost precisely two minutes (or 1 minute and 59 seconds) ahead of what I believe to be the "real" current time where I live.
Why is my computer two minutes ahead? I realize that synchronizing clocks using the internet may not be entirely accurate as there is latency, but two minutes is a very long time on the internet. Is NTP really two minutes ahead? I'm running Windows 7 and live in the time zone UTC+1, but I don't think that is important in understanding my problem.
GAThrawn
GPS time isn't the same as UTC, it's just very close.
GPS is a very accurate source as far as time differences go, but as it doesn't take into account leap seconds it hasn't actually been in sync with UTC since January 1980. However it's only about 15 seconds ahead, so that doesn't account for your 2 minute difference.
If your other time sources are based on the international atomic click standard (TAI, Temps Atomique Internationa), then they're also not set to UTC, not because they're inaccurate, but more because UTC is, again they don't take into account leap seconds, and their time is based on ticks of the SI standard 'second' rather than being based on the rotation/orbit of the Earth as UTC is. They're about 34 seconds ahead of UTC. Still doesn't account for your difference.
See here http://leapsecond.com/java/gpsclock.htm or here http://en.wikipedia.org/wiki/Global_Positioning_System#Timekeeping for more info.
Spiff
If you disable NTP, set your computer's clock wrong by several minutes (perhaps 2 minutes slow instead of 2 minutes ahead), and then re-enable NTP, does it stay 2 minutes slow, or go back to 2 minutes ahead?
I ask because I've seen NTP software silently fail before, so although it looked like the NTP software was enabled, and even though I had packet traces showing the NTP queries going out to the server and the responses coming back in, my system clock still wasn't getting set to what the time server was saying.
It would be interesting to see packet traces showing your NTP lookups. For example a tcpdump of "port 123" with the "-v" and "-s0" options set should show what you need to know.
Martin Liversage
Unfortunately I made some mistakes when I posted my question. I wanted to bypass the NTP service of my computer to provide an independent source of internet time information and used two simple utilities for that. I believed these utilities were getting time information from the internet using NTP when they in fact were displaying the (wrong) local time on my computer.
In my initial question is was rather vague about how NTP was used by my computer. It is part of a Active Directory domain and time is synchronized from the domain controller. I had verified that the configuration was OK, but I had overlooked a small detail.
Solution
The domain controller was running in a Hyper-V virtual machine. The Windows time service on the domain controller was configured properly to use NTP, but the Hyper-V virtual machine had all intergration services enabled including time synchronization. This setting will always keep the time on the virtual machine synchronized with the Hyper-V host even if you set the clock manually or through NTP.
The solution was simply to disable that particular integration service in the Hyper-V manager for the domain controller virtual machine. Restarting the Windows time service immediately corrected the time on the domain controller and subsequently on my computer.
bignose
It's also important to remember that many NTP clients will refuse to change the clock by large amounts; if the times are so discrepant, then there's a good chance at least one of them is wildly wrong and needs human intervention.