[Q] Why do many time servers time out on queriesfrom ntpq -p? - NTP

This is a discussion on [Q] Why do many time servers time out on queriesfrom ntpq -p? - NTP ; I've been trying the peers command in ntpq on a number of time servers and finding that for as many that do respond, there are about an equal number that do not. An example of a failing response is: ntpq> ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: [Q] Why do many time servers time out on queriesfrom ntpq -p?

  1. [Q] Why do many time servers time out on queriesfrom ntpq -p?

    I've been trying the peers command in ntpq on a number of time
    servers and finding that for as many that do respond, there are about
    an equal number that do not. An example of a failing response is:

    ntpq> host sundial.columbia.edu
    current host set to hickory.cc.columbia.edu
    ntpq> peers
    hickory.cc.columbia.edu: timed out, nothing received
    ***Request timed out

    I can reproduce identical successes and failures from 3 computers
    running different OSs on independent networks.

    These I've tried work just fine:
    timex.cs.columbia.edu
    time.euro.apple.com
    lain.ziaspace.com
    ntp.nblug.org
    ntp1.cs.wisc.edu
    clock1.unc.edu

    But these time out:
    sundial.columbia.edu
    time.apple.com
    morose.quex.org
    ntp.sycharlutheran.org
    ntp.bytestacker.com
    ntp1.kansas.net

    All of the above were tested and gave the same results on
    kennedy1.aecom.yu.edu (Linux with ntpq 4.2.4p4@1.1520-o)
    fluxsoft.com (FreeBSD with ntpq 4.2.0-a)
    ool-45766590.dyn.optonline.net (Mac OS X with ntpq 4.1.1@.786)
    --

    Maurice Volaski, mvolaski@aecom.yu.edu
    Computing Support, Rose F. Kennedy Center
    Albert Einstein College of Medicine of Yeshiva University

  2. Re: [Q] Why do many time servers time out on queries from ntpq -p?

    On 2008-04-09, Maurice Volaski wrote:
    > I've been trying the peers command in ntpq on a number of time
    > servers and finding that for as many that do respond, there are about
    > an equal number that do not. An example of a failing response is:
    >
    > ntpq> host sundial.columbia.edu
    > current host set to hickory.cc.columbia.edu
    > ntpq> peers
    > hickory.cc.columbia.edu: timed out, nothing received
    > ***Request timed out


    The server operator has set a 'noquery' restriction.

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  3. Re: [Q] Why do many time servers time out on queries from ntpq -p?

    Maurice Volaski wrote:
    > I've been trying the peers command in ntpq on a number of time
    > servers and finding that for as many that do respond, there are about
    > an equal number that do not. An example of a failing response is:
    >
    > ntpq> host sundial.columbia.edu
    > current host set to hickory.cc.columbia.edu
    > ntpq> peers
    > hickory.cc.columbia.edu: timed out, nothing received
    > ***Request timed out
    >
    > I can reproduce identical successes and failures from 3 computers
    > running different OSs on independent networks.
    >
    > These I've tried work just fine:
    > timex.cs.columbia.edu
    > time.euro.apple.com
    > lain.ziaspace.com
    > ntp.nblug.org
    > ntp1.cs.wisc.edu
    > clock1.unc.edu
    >
    > But these time out:
    > sundial.columbia.edu
    > time.apple.com
    > morose.quex.org
    > ntp.sycharlutheran.org
    > ntp.bytestacker.com
    > ntp1.kansas.net
    >
    > All of the above were tested and gave the same results on
    > kennedy1.aecom.yu.edu (Linux with ntpq 4.2.4p4@1.1520-o)
    > fluxsoft.com (FreeBSD with ntpq 4.2.0-a)
    > ool-45766590.dyn.optonline.net (Mac OS X with ntpq 4.1.1@.786)


    If the server operator has 'noquery' specified in the default restriction it
    will prevent the server from responding to ntpq and ntpdc.

    Interestingly, I actually wrote a script that uses 'ntpq -pn' to randomly
    query client entries in my ntp_clients_stats log file. I've found that only
    about one percent respond on average.

    Dennis

    --
    Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
    NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

  4. Re: Why do many time servers time out on queries from ntpq -p?

    On Apr 12, 12:29*am, Steve Kostecke wrote:
    > The server operator has set a 'noquery' restriction.


    I'll try to pre-emptively answer the next question, whcih is likely to
    be "why would they do that?"

    The answer is security. On our network, we follow the principle of
    least privelege. That is, we enable or allow only that which is
    required to perform a particular function, and nothing else. Some
    people call this a "default deny" permissions model.

    ntpq can leak information about your internal network structure that
    could be useful to an attacker. It is also another bit of network-
    enabled code that could have buffer overflows or other vulnerabilites.
    ntp (the protocol) functions just fine with without mode 6/7 queries
    enabled, so they are disabled.

  5. Re: Why do many time servers time out on queries from ntpq -p?

    On 2008-04-12, Ryan Malayter wrote:

    > On Apr 12, 12:29*am, Steve Kostecke wrote:
    >
    >> The server operator has set a 'noquery' restriction.

    >
    > I'll try to pre-emptively answer the next question, [which] is likely to
    > be "why would they do that?"
    >
    > The answer is security.


    It also denies the users of a time server potentially valuable
    information about that server's time sources.

    You may find it acceptable to use a block box time source with
    un-auditable time sources. I do not.

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  6. Re: Why do many time servers time out on queries from ntpq -p?

    On Apr 12, 7:23*pm, Steve Kostecke wrote:
    > > The answer is security.

    >
    > It also denies the users of a time server potentially valuable
    > information about that server's time sources.
    >
    > You may find it acceptable to use a block box time source with
    > un-auditable time sources. I do not.
    >


    There is nothing about the ntpq output that couldn't be trivially
    faked by a malicious server operator. Mode 6/7 capability adds no true
    security or assurance to the users of an ntp server. Authentication
    does not solve this problem either.

    In reality, all public ntp servers are "black boxes", because you
    can't trust anything they tell you, including the time. This is why
    you configure a diverse set of time servers.

    --
    RPM

  7. Re: Why do many time servers time out on queriesfrom ntpq -p?

    Ryan Malayter wrote:
    > On Apr 12, 7:23 pm, Steve Kostecke wrote:
    >>> The answer is security.

    >> It also denies the users of a time server potentially valuable
    >> information about that server's time sources.
    >>
    >> You may find it acceptable to use a block box time source with
    >> un-auditable time sources. I do not.
    >>

    >
    > There is nothing about the ntpq output that couldn't be trivially
    > faked by a malicious server operator. Mode 6/7 capability adds no true
    > security or assurance to the users of an ntp server. Authentication
    > does not solve this problem either.
    >


    That may be but mode 6/7 is used to also configure the server and for
    DNS when necessary.

    > In reality, all public ntp servers are "black boxes", because you
    > can't trust anything they tell you, including the time. This is why
    > you configure a diverse set of time servers.


    If you want to trust them you should use autokey.

    Danny

+ Reply to Thread