Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On Borrowed Time: Measurement-Informed Understanding of the NTP Pool's Robustness to Monopoly Attacks

Robert Beverly, Erik Rye

TL;DR

This NDSS 2026 study provides a direct, longitudinal measurement of the NTP Pool to assess its robustness against monopoly attacks. By building a custom scraper, fingerprinting aliases, and analyzing netspeed, DNS answers, and residual traffic, the authors show that only about 20% of active servers are truly independent, revealing vulnerability to capacity-based attacks. They derive a principled formula to estimate the number of attack servers needed to capture half the traffic in a country and validate this with a practical in-zone experiment, illustrating real-world risk. The work suggests concrete robustness improvements, such as factoring server independence, lifetime, and ownership into pool selection decisions, and it highlights the need for stronger defenses against monopolization in open, volunteer-driven infrastructure.

Abstract

Internet services and applications depend critically on the availability and acc uracy of network time. The Network Time Protocol (NTP) is one of the oldest core network protocols and remains the de facto mechanism for clock synchronization across the Internet today. While multiple NTP infrastructures exist, one, the "NTP Pool," presents an attractive attack target for two basic reasons, it is: 1) administratively distributed and based on volunteer servers; and 2) heavily utilized, including by IoT and infrastructure devices worldwide. We %develop measurements to gather the first direct, non-inferential, and comprehensive data on the NTP pool, including: longitudinal server and account membership, server configurations, time quality, aliases, and global query traffic load. We gather complete and granular data over a nine month period to discover over 15k servers (both active and inactive) and shed new light into the NTP Pool's use, dynamics, and robustness. By analyzing address aliases, accounts, and network connectivity, we find that only 19.7% of the pool's active servers are fully independent. Finally, we show that an adversary informed with our data can better and more precisely mount "monopoly attacks" to capture the preponderance of NTP pool traffic in 90% of all countries with only 10 or fewer malicious NTP servers. Our results suggest multiple avenues by which the robustness of the pool can be improved.

On Borrowed Time: Measurement-Informed Understanding of the NTP Pool's Robustness to Monopoly Attacks

TL;DR

This NDSS 2026 study provides a direct, longitudinal measurement of the NTP Pool to assess its robustness against monopoly attacks. By building a custom scraper, fingerprinting aliases, and analyzing netspeed, DNS answers, and residual traffic, the authors show that only about 20% of active servers are truly independent, revealing vulnerability to capacity-based attacks. They derive a principled formula to estimate the number of attack servers needed to capture half the traffic in a country and validate this with a practical in-zone experiment, illustrating real-world risk. The work suggests concrete robustness improvements, such as factoring server independence, lifetime, and ownership into pool selection decisions, and it highlights the need for stronger defenses against monopolization in open, volunteer-driven infrastructure.

Abstract

Internet services and applications depend critically on the availability and acc uracy of network time. The Network Time Protocol (NTP) is one of the oldest core network protocols and remains the de facto mechanism for clock synchronization across the Internet today. While multiple NTP infrastructures exist, one, the "NTP Pool," presents an attractive attack target for two basic reasons, it is: 1) administratively distributed and based on volunteer servers; and 2) heavily utilized, including by IoT and infrastructure devices worldwide. We %develop measurements to gather the first direct, non-inferential, and comprehensive data on the NTP pool, including: longitudinal server and account membership, server configurations, time quality, aliases, and global query traffic load. We gather complete and granular data over a nine month period to discover over 15k servers (both active and inactive) and shed new light into the NTP Pool's use, dynamics, and robustness. By analyzing address aliases, accounts, and network connectivity, we find that only 19.7% of the pool's active servers are fully independent. Finally, we show that an adversary informed with our data can better and more precisely mount "monopoly attacks" to capture the preponderance of NTP pool traffic in 90% of all countries with only 10 or fewer malicious NTP servers. Our results suggest multiple avenues by which the robustness of the pool can be improved.
Paper Structure (33 sections, 1 equation, 11 figures, 7 tables)

This paper contains 33 sections, 1 equation, 11 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background
  3. The NTP Pool
  4. Prior Work on The NTP Pool
  5. Motivation
  6. Methodology
  7. Threat Model
  8. Historic Score Data
  9. Scraper
  10. Netspeed
  11. Pool DNS answers
  12. Server Fingerprinting
  13. Residual NTP Client Traffic
  14. Validation
  15. Limitations
  16. ...and 18 more sections

Figures (11)

  • Figure 1: Methodology: The NTP Pool website maintains statistics and APIs (green box) that we periodically query (blue box) to exhaustively enumerate participating servers and their properties. We gather multiple longitudinal datasets described in Table \ref{['tab:datasets']}.
  • Figure 2: Lifetime of NTP Pool servers. More than 10% of servers participate for less than 10 days.
  • Figure 3: Distribution of the netspeeds of the 5,333 servers with nonzero netspeed in the NTP Pool. Another 57,049 servers have zero netspeeds, either because they are set to "monitor-only" or have been deleted.
  • Figure 4: Pool DNS response statistics: both the distribution of servers across zones as well as the per-zone DNS answer rates are highly skewed.
  • Figure 5: Overall Independence analysis
  • ...and 6 more figures