Spectracom - Essential Ingenuity


NTP Throughput

SecureSync and NetClock 9400 units can process over 7,500 NTP requests per second. This capability is per system based on its main network processor. The model 1204-06 Gb Ethernet Option Module simply splits this bandwidth across its four different network interfaces.

Synchronizing Windows Computers

Microsoft Windows PCs (such as Windows XP, 2000, 2003, 2008, 7, etc) can be configured to sync to a Spectracom NTP time server. Many newer versions of Windows use the built-in "Windows Time Service (aka W32Time) for external time synchronization. Spectracom's "Synchronizing Windows Computers" Tech Note assists with configuring Windows computers..

NTP Vulnerabilities Prior to Version 4.2.8p4

Thirteen low and medium severity vulnerabilities were identified in NTP versions 4.2.8p3 and earlier. This affects SecureSync and NetClock 9400 products running SW versions 5.3.0 and earlier, and all NetClock 9200/9300 product versions.

NTP access restriction

By factory default configuration, all nodes and subnets on the time server's network (s) have access to NTP. However, it may be desired to restrict NTP access from/to only one or more individual nodes or subnets. The Time server supports this capability of limiting access to NTP via its available"NTP Access Restriction" configuration

"Ref ID" field for NTP references

NTP reports a "Ref ID" for each configured reference that it can sync with. With the System Reference, this will start out as ".GPS", or some other value based on the sycnhronizing reference, but it may also change to ".PPS." later on in systems with SecureSync/NetClock SW versions 5.2.0 and earlier.

Verifying NTP Queries are Disabled in SecureSync and NetClock 9400

Several NTP vulnerabilities are associated NTP’s NTPQ or NTPDC functionality. The Spectracom SecureSync and NetClock 9400 defaults NTPQ/NTDC to be disabled which mitigates these types of vulnerabilities. Note that NTPQ and NTPDC being disabled does not affect the operation of NTP synchronizing clients on the network.

NTP Vulnerabilities Prior to Version 4.2.8

On December 18, 2014, several NTP vulnerabilities were published as CVE-2014-9293 thru 9296. The vulnerabilities are based on queries from an unknown entity. By default external queries are turned off in SecureSync and NetClock products and are appropriate mitigation against these vulnerabilities.

Manually Setting the System Time

SecureSync and NetClock time servers have the ability to sync to several types of external time references (such as GPS and/or IRIG for examples). But they also have the ability to sync to itself, using the "User" mode. The User mode allows the time server to go to NTP Stratum 1 without the need for external references to be applied.

Syncing Domain Controller with PresenTense, Clients with Windows Time

When using PresenTense software to sync a Windows network, typically all nodes are synced with PresenTense. However, it may be desired to sync just the Domain Controller (DC) to the NTP server using PresenTense software and to sync the Windows clients to the DC using the Windows Time Service. This can be done by installing PresenTense Client software on the Domain Controller and then modifying the Advanced Settings of the PresenTense Client software to allow PresenTense and Windows Time to work in conjunction with each other.

Compliance of Spectracom Time Servers with RFC 2783 - Operating System Time Discipling by 1PPS

List NTP Clients Receiving Time from SecureSync/NetClock 9400 Using Monlist

ntpdc monlist command can be run from the command line interface to ID the NTP Clients

DDoS / Amplification Attack using ntpdc monlist command

Spectracom disables NTP queries by default so is not at risk for the vulnerability described in CVE-2013-5211. However we recommend you verify the NTP server has not been configured to allow queries or you have adequate network security to reduce the risk of an attack due to monlist

Reporting the time offset between a Windows PC and NTP server

Windows w32tm has a utility called "stripchart" which can provide periodic (such as every two seconds by default) time differences between a Windows PC and an NTP server on the network. This can either be the same NTP server that it normally syncs with, or any other NTP server on the network.

Why does "NTP" indicate "Not Valid" in the NTP Reference Status table

The Reference Status table (Status -> Time and Frequency page of the browser) reports the validity of the input references (not outputs). NTP output status is indicated at the top of the Status -> NTP page of the browser.

Network Time Protocol Project Home

The web address for the official home of the NTP project.

Using Automachron to Test a Spectracom NTP Server

Automachron (freeware) is a great utility for testing the NTP output of a Spectracom NTP time server.