NTP server misuse and abuse

One incident was branded NTP vandalism in an open letter from Poul-Henning Kamp to the router manufacturer D-Link in 2006.

One particularly common NTP software error is to generate query packets at short (less than five second) intervals until a response is received While it might be technically reasonable to send a few initial packets at short intervals, it is essential for the health of any network that client connection re-attempts are generated at logarithmically or exponentially decreasing rates to prevent denial of service.

Examples of this backing down method can be found in the TCP specification for connection establishment, zero-window probing, and keepalive transmissions.

[5] University personnel initially assumed this was a malicious distributed denial of service attack and took actions to block the flood at their network border.

Also in 2003, another case forced the NTP servers of the Australian Commonwealth Scientific and Industrial Research Organisation's (CSIRO) National Measurement Laboratory to close to the public.

[6] The traffic was shown to come from a bad NTP implementation in some SMC router models where the IP address of the CSIRO server was embedded in the firmware.

In 2005 Poul-Henning Kamp, the manager of the only Danish Stratum 1 NTP server available to the general public, observed a huge rise in traffic and discovered that between 75 and 90% was originating with D-Link's router products.

With the increased traffic caused by the D-Link routers, DIX requested he pay a yearly connection fee of 54,000 DKK[citation needed] (approximately US$9,920 or €7,230[8][9]).

The company denied any problem, accused him of extortion, and offered an amount in compensation which Kamp asserted did not cover his expenses.

After going public, Kamp realized that D-Link routers were directly querying other Stratum 1 time servers, violating the access policies of at least 43 of them in the process.

[15] As an apology and to assist in dealing with the load they generated, Snap also contributed timeservers to the Australia and South America NTP pools.

[22] TP-Link firmware update availability also varies by country, even though the issue affects all WiFi range extenders sold globally.

After the incident was resolved by pushing a hotfix, Yandex announced several measures to prevent similar problems in the future.

Among other actions, Yandex donated NTP servers to the pool, improved their monitoring, and indicated they would apply for a vendor zone,[26] which they did not have at the time.

Sections 8 to 11 of RFC 4330 are of particular relevance to this topic (The Kiss-o'-Death Packet, On Being a Good Network Citizen, Best Practices, Security Considerations).

Ntpd-rs with Network Time Security for NTP (NTS) support