NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to use in a distributed denial-of-service (DDoS) attack. Please also take this opportunity to defeat denial-of-service attacks by implementing ingress and Egress filtering through BCP38.
The final two security bugs reported by Google's Security Team have been fixed as of ntp-4.2.8p1.
A new set of mode 6 vulnerabilities has been discovered and, while these vulnerabilities can be reduced by making sure you have
restrict default … noquery in your
ntp.conf file, the best and most complete way to avoid these vulnerabilities is to install and deploy
ntp-4.2.8p1 which was released on 04 February 2015.
Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
The NTP Public Services Project
Providing public support services for the NTP Project
and hosting the IETF NTP Working Group
. Copyright for the material on this web-site is held by the contributing authors. Please contact the webmaster and/or the contributing author with any questions regarding copyright.
NTP Security Information
Security related bugs, confirmed or suspected, are to be reported by e-mail to firstname.lastname@example.org.
Please refrain from discussing potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group, our Bug Tracking system, email@example.com, or any other mailing-list.
Please see our Security Notice
for up to date information about security related issues pertaining to the Reference Implementation of NTP
describes some of the procedures and efforts that go in to auditing the NTP codebase and making sure it is secure.
What is NTP (Network Time Protocol) ?
NTP is a protocol designed to synchronize the clocks of computers over a network to a common timebase (usually UTC).
NTP version 4 is a significant revision of the previous NTP standard, and is the current development version. It is specified by the following documents:
NTP version 3 was an internet draft standard, formalized in RFC 1305
Why is NTP Important?
In a commercial environment, accurate time stamps are essential to everything from maintaining and troubleshooting equipment and forensic analysis of distributed attacks, to resolving disputes among parties contesting a commercially valuable time-sensitive transaction. In a programming environment, time stamps are usually used to determine what bits of code need to be rebuilt as part of a dependency checking process as they relate to other bits of code and the time stamps on them, and without good time stamps your entire development process can be brought to a complete standstill. Within law enforcement, they are essential for correlation of distributed communication events, forensic analysis, and potential evidentiary use in criminal proceedings. In essence, all debugging, security, audit, and authentication is founded on the basis of event correlation (knowing exactly what happened in what order, and on which side), and that depends on good time synchronization.
Another good explanation for this issue comes from Thomas Akin
, in chapter 10 of his book Hardening Cisco Routers
Time is inherently important to the function of routers and networks. It provides the only frame of reference between all devices on the network. This makes synchronized time extremely important. Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. When it comes to security, if you cannot successfully compare logs between each of your routers and all your network servers, you will find it very hard to develop a reliable picture of an incident. Finally, even if you are able to put the pieces together, unsynchronized times, especially between log files, may give an attacker with a good attorney enough wiggle room to escape prosecution.
Additional information on this subject can be found at UC Berkeley
, University of Wyoming
, in Rik Farrow's Network Defense columns for Network Magazine
, and in the Linux System Administrators Guide
at the Linux Documentation Project.
Please note, we are not lawyers, and nothing we say here can be construed as being legal advice.
That said, we believe that we can identify potential issues that you may need to be concerned about, although you'll need to talk to your lawyers to get their official legal opinion on these subjects.
There are legal requirements for good time synchronization, both in the US and abroad. In the US, legal requirements from CALEA, the DOJ, the FBI, and the FCC
are currently set for a minimum accuracy of 200ms (two hundred milliseconds), and in 2006 this was extended to cover communications that occur via IP-based protocols, especially including networks using VOIP or VOIP-like technology (where you would be considered to be the equivalent of a telco), and might also be construed to include chat, irc, or any other IP-based communications protocol. In Europe, there are proposals are on the table to tighten this requirement to ten milliseconds (see Agentschap Telecom, Format for date and time, ETSI/TC LI Rap#16, Groningen, 27-28 Jun 2007, Doc. ETSI/LI-rap16-td12), and in part this is being used as justification for the same level of standard in the US by the DOJ, FBI, and FCC in FCC Notice RM-11376
Then there the Federal Rules of Evidence
, which govern the introduction of evidence in proceedings, both civil and criminal, in US Federal courts. While they do not apply to suits in state courts, the rules of many states have been closely modeled on these provisions. Of course, these rules may not be completely transferrable to other legal jurisdictions in other countries, but they should serve as a good initial guideline.
Please note, we are not lawyers, and the following cannot be construed as legal advice. Before shipping any product that might be subject to US Export Restrictions, you and your lawyers should review all of the US Bureau of Industry and Security
documents on the Export Administration Regulations
and make your own determination of what issues are applicable to you and which guidelines you need to adhere to.
That said, neither the The NTP Project
nor the NTP Public Services Project
have applied for a CCATS (Commodity Classification Automated Tracking System)
ID or an Export Control Classification Number
for the NTP protocol, algorithms, or source code.
This is an open source
project that is available to the entire world, and therefore we believe it is not subject to any export controls. In addition, we do not do any encryption internally to our code, although we do make use of libraries from the OpenSSL project
to generate keys and to check keys, during the process of authenticating a server to one or more clients. Note that OpenSSL
is also another open source project, and is developed entirely outside of the US specifically to avoid any entanglements with export restrictions. As such, it should be covered under standard re-export clauses, and as a TSU Exception
, in accordance with EAR Section 740.13(e)
The NTP Project
The NTP Project
produces a reference implementation of the NTP protocol and implementation documentation through a largely volunteer effort. More information about this is available on the SoftwareDevelopment
page. The NTP software distribution is copyrighted, as described in the NTP copyright page
A list of reference clocks, ntp documentation, time and frequency standard stations, and time and frequency standard station transmission data is maintained at the Information on Time and Frequency Services
page. Background information about NTP, along with briefings and a bibliography, are available at the Network Time Synchronization Project
IETF NTP Working Group
The NTP Public Services Project is hosting the IETF NTP Working Group
. The goal of this working group is to update the NTP protocol specification and advance the standardization status of NTP based on the extensive work from the NTP community. For more information visit the IETF NTP Working Group
Information For New NTP Users
- New NTP users should read the
Where-To-Start file included with the NTP distribution.
- Documentation for the current NTP distribution, along with additional information, is available on the documentation page.
- Community supported documentation is available in the Support Web of this site.
- NTP users who don't like to read documentation may want to refer to a QuickStart Guide.
- If you would like to find a server to get time from, please see the public NTP server list.
- If you would like to download NTP software please see the download page.
- If you would like to locate NTP software other than the reference distribution, please see the links page.
How can I help?
If you'd like to help the NTP Project and/or the community it serves, there are several ways to do that. Here are a few:
Visitor Map and IP Address Statistics
To contact the NTP web maintainer or any of the NTP developer team, please see the contact page
. Please direct comments and questions about this web site to firstname.lastname@example.org