Yesterday, Chinese security services published a story alleging a multi-year attack against the systems operating the Chinese standard time (CST), sometimes called Beijing Standard Time. China uses only one time zone across the country, and has not used daylight saving time since 1991. Most operating systems use UTC internally and display local time zones for user convenience. Modern operating systems use NTP to synchronize time. Popular implementations are ntpd and chrony. The client will poll several servers, disregard outliers, and usually sync with the “best” time server based on latency and jitter detected.
Based on the “Beijing Time Incident”, let’s review options to synchronize your network’s clocks. One popular option is to use the NTP “Pool”, “pool.ntp.org”, or a subset of this pool (like north-america.pool.ntp.org or aisa.pool.ntp.org). Currently, ntppool.org counts 5788 participants, which is impressive [1]. ntppool.org monitors the servers and recently upgraded its monitoring system [2]. Participating servers are assigned scores, which are then used to rank them in the pool. The open nature of the NTP Pool project has sometimes led to questions about the reliability and safety of the pool. Shodan, for example, added systems with IPv6 addresses to the NTP Pool to identify IPv6 addresses worthy of scanning [3][4].
We have published a list of IP addresses in the NTP Pool for a few years. We obtain this list from DNS lookups and some from our honeypot data. NTP servers can trigger false positives with firewalls that have difficulty managing UDP “state”. You can use our API to retrieve the current list we identified [5].
A quick breakdown of the offset we detect shows that the NTP Pool is quite accurate. Clients should easily discard the few outliers.
Note that the chart uses logarithmic scales to show the drop off. The graph would show a spike at “0” for linear scales. Most of the time, servers have an offset of less than 10 milliseconds, and there are very few above 100 milliseconds, making this perfectly adequate for most applications that use NTP. NTP is looking for millisecond accuracy, and applications requiring better accuracy should likely use local time standards and protocols like PTP.
So, in short, pool.ntp.org is an excellent option for most applications. If you want to do better, or are worried about the stability and security of pool.ntp.org, your best option is a local time standard. There are very affordable options from centerclick.com
Side Note: The US time standard is managed by NIST in collaboration with the US Naval Observatory [6]. After graduating, I had a job offer to start working for NIST, not on the time standard, but the standard for the kilogram. At the time (1995), a lengthy government shutdown caused the offer to fall through, and I took a different job. As they say, rest is history, but I am still interested in the overall subject matter :).
[1] https://www.ntppool.org/zone
[2] https://news.ntppool.org/2025/07/monitoring-v4/
[3] https://isc.sans.edu/diary/Targeted+IPv6+Scans+Using+poolntporg/20681
[4] https://seclists.org/oss-sec/2016/q1/219
[5] https://isc.sans.edu/api/ntppool?json (or without ?json for XML)
[6] https://nist.time.gov
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
