A Day in the Life of NTP : Analysis of NTPPool Traffic

Accurate timekeeping is crucial for the functioning of applications and protocols in distributed networks - especially the Internet. The default protocol used for synchronizing time among servers and peers in the Internet is the Network Time Protocol. NTP is usually unauthenticated and is therefore prone to attacks though there have been multiple extensions and additions to the protocol to make it more secure. There are multiple public time providers that provide NTP servers that clients can use to synchronize time. NTPPool is one such volunteer run project that uses DNS to map clients to NTP servers that are closest to them. This is done by using an open source software named GeoDNS in the authoritative DNS servers of NTPPool. SIDN Labs contributes multiple NTP servers to the NTPPool project. One of these servers is deployed in 30 sites through Anycast and serves millions of clients. There has been little research into the characteristics of traffic that is received at a public NTP server. This research aims at analyzing the traffic received at the anycast NTP server that SIDN contributes to NTPPool in order to analyze the characteristics of the traffic that it receives. This includes information such as type of clients that use the NTP service, the catchment of the anycast sites, presence of anomalies in the NTP traffic, etc. This research will provide valuable insight into the the current state of the NTP ecosystem.