Adding servers to the China zone


The only “firewalling” (which they refer to as IP filtering) on the router is the option to route packets to the internal network (i.e. my /29 subnet). If I switch it off, it doesn’t route anything at all (despite the routes being in the routing table) - and yes, I was also confused that this was only enabled within the IP filtering rules - so much so that it took a call to tech support to get the router to function as one, rather than a NAT gateway, bridge, or simply a doorstop! The only way to allow packets into and out of the subnet is to have a rule in place allowing it, otherwise all traffic is blocked, even with the firewall switched off (well, the filter table empty, which is as close as it will allow), despite routes being in place in the routing table! No other rules are in place, so no real firewalling is happening - all packets for my subnet are simply passed on to the relevant device behind the router, anything from inside that is bound for anywhere else gets thrown up the wire (and fibre, once it gets to the cabinet in the street) to my ISP to sort out! Of course, if it isn’t supposed to be coming to my subnet it shouldn’t be arriving at the router on the external (VDSL) interface at all, but that is for my ISP to manage!
Bizarre, I know, but that is how the software on it works (or doesn’t, if the Chinese are hammering it with NTP requests)!

It appears to me that some Chinese DNS servers cache DNS lookups to the pool, and only regard a pool record as stale if the site becomes unreachable, at which point they look for another victim. Of course, this caching breaks the load balancing of the pool!
What I’ve seen is that following my addition to the CN zone in an attempt to kickstart it, it took a short while before my IP happened to get handed to their DNS, at which point everyone using that DNS server in China started beating on my IP address asking for the correct time! This knocked my router (and whole subnet) offline until the pool saw that I’d gone, removed me as my score was below 10 (it used to be pegged at 20) and the Chinese gave up and asked for another IP address. Then my network recovered, and ran fine, until whatever random time after reaching a score of 10 my IP address happened to get handed to them again. Rinse and repeat. Going by another thread on here, I’m not the first to suffer from this, which tends to confirm that it is not a problem with my setup (which was working fine until I volunteered to join the CN zone to bootstrap it, I think we may be finding out why it needed bootstrapping in the first place!
Of course, it may only be a subset of the DNS servers in China which are behaving in this way, but it seems to be quite enough to cause a problem, and is probably the reason for so few NTP servers being in the CN zone, relative to the size and population of the country - this DNS caching keeps knocking them over, so it’s only with the aid of some rate limiting filter that any NTP server can survive in the CN zone.


Did you use pf or ipfw on freebsd (firewall machine) ?



After they added me in the CN zone last week, i saw alot of fw states going up towords 500k almost up to 1milion steady.
Thanks to avij when i saw what he wrote about notrack on the fw rules, i looked into the pfSense that im using and i have turned “state type” to “none” on those rules now, and only seeing about 100k towords 300k filter states.

I’m new into this and i think i have to disable the fw/nat in pfSense if want all filter states go away?
I want to have nat enabled and if someone has done this before, and want to give me a right direction on how i can do it, i will be deeply appreciative for any info i can get. Anyway, the fw has it alot better with 100k+ states :slight_smile:


I use ipfw (which is actually fw2) on the Firewall/ntp server Firewalling was the original function of the machine, but it was running at such a light load that I added the PPS GPS (Garmin 18x LVC) to it and made it a public stratum 1 ntp server as well, then volunteered if for the pool. Apart from since the Chinese problems, it is still fairly lightly loaded, but does at least do a bit more to justify it’s electrical supply now :slight_smile:


Yes, it may be possible that some Chinese DNS servers don’t obey the specified TTL of 150 seconds, but that is not the reason why the CN zone is overloaded. DNS servers (Chinese and elsewhere) don’t care if the NTP server in the DNS response is reachable or not. There simply isn’t such a feedback loop. The reason why there are problems is that there are zillions of pool users in China, and relatively few servers. Therefore those few servers will get a large amount of traffic, and if they aren’t configured properly, they will end up dying under the load. Serving a large amount of traffic may also be costly, and that may drive away some NTP server admins. My US server which is also in the CN zone sends around 2.5TB of NTP responses each month.

When your score drops below 10, your IP address is removed from rotation. This will typically drop your traffic to about a half (depending on how long your server has been in the pool etc) within 15 minutes or so. Those clients using software (such as ntpd) that do a lookup only at startup will continue requesting time from your server until the software or server is restarted. That traffic will also die down eventually, but much more slowly because some servers might be up for years without rebooting.

Many NTP server admins are surprised by the amount of traffic in some zones. It may very well be possible that big chunks of that traffic are abusive in nature, ie. misconfigured systems that poll the time every 10 seconds and such. Fixing those would of course be nice, but until that happens, the pool’s NTP servers will need to answer those NTP requests. If it isn’t your server, it’s going to be someone else’s server.

Even slower servers and routers can handle the traffic if configured properly. I don’t know if it’s possible in your environment, but one option might be to configure your router as a dumb bridge (ie. don’t assign it a public IP address at all) and handle the routing on a more capable server. That is usually the way I configure my home routers, so I don’t need to worry about my blood pressure trying to configure the cheap routers to do what I really want.

edit: Also, if you don’t have sufficient upstream bandwidth, that may also cause problems. 5000 pps is roughly 5Mbit/s. I don’t know what kind of request rates you were seeing.


There is an enormous amount of totally “wild” clients arround. Generally I have seen a huge amount of traffic like that (I just copied the first several entries few minutes ago):

ntpdc> mo
remote address          port local address      count m ver code avgint  lstint
===============================================================================           8764   3825272 3 4    1f0      0       0           58085  20907303 3 4    1f0      0       0            10062  10270354 3 4    1f0      0       0            34729  11434538 3 4    1f0      0       1           4360    575889 3 4    1f0      7       1         54103    624369 3 4    1f0      5       1           39086   9392631 3 4    1f0      0       1             2090   3991797 3 4    1f0      0       1         21884   7505310 3 4    1f0      0       1          30168    934158 3 4    5f0      4       1           24602    480341 3 4    5f0      6       2           16389    339827 3 4    5f0      9       2           4799    373675 3 4    1f0      8       2           7009   4715482 3 4    1f0      0       2           14389    551624 3 4    5f0      6       2             3054    703111 3 4    1f0      4       2

I did make quite an extensive list in ipf when I was trying to battle it, excluding partially even whole subnets, however, I did not take care about it for some time, and there are now, e.g. several IPs with over 10 million requests average 0 seconds, is now on 21 million avg 0 sec.

From relatively recently (second half of 2016 approx.) we (the Internet) have the huge new problem of IoT cameras and many routers from a series of producers having fixed initial root/admin passwords which have to be changed by the end-user. Which they do not, many are probably even not aware of this need. What happend is that there is new virus spread, which tries to log from IP to IP, one after another, searching for any connected equipment with the fixed root/admin passwords. (I see an enormous amount of this ‘telnet’/‘ssh’ trying on my servers, which also sometimes influences the NTP servers availability.) After logging into such a (mostly) internet camera or home router, the Virus can install itself and any other software it likes (because the basis of probably all of that equipment is BusyBox).

Though I have no proof, I have a strong feeling that the enormous, tens of millions of times in a row, amount of NTP requests comes primarily from that equipment (and there are millions of such unprotected IoTs arround!), as I never before last year saw something like that.

The China zone is full of such misbehaving equipment, i tracerouted some of the incoming requests.

Presently my China zone server copes reasonably well (, but you can see regular drops at certain times. However, I would not say that I would have any connectivity problems, as the internal network is multiple 100Mb/s and the external connection is 2 * 2 Gbit/s (if not upgraded last several years) (Rudjer Boshkovich Institute, Zagreb, Croatia). This server is a SunFire X4100 (2 * dual AMD Opteron, 2 GHz), Solaris 10. [About what Avij said about “even slower servers” I posted some time ago about my Sun 3/60 (MC68020+68881, 20MHz, 24MiB RAM), SunOS 4.1.1 acting already for years as part of ntp pool, and my web server ( :slight_smile:]

A (preliminary) list of client IPs requesting time milions of times constantly
Netherlands Zone Daily Traffic Spike

I just started a thread with an ip filtering rules list with the IPs of absolutely persevering clients:


This offer is still valid. I’d love to see more traffic on this server.


My old ntp4 will die soon (hardware will be used for other things).
Ask, can you add my new ntp4 to the cn pool please?

For those of you that have problems when you are in the cn pool:
Simply set your netspeed lower until you dont get any problems.
Its that easy.

For example, if you have a 1000 Mbit server in the cn pool you will get
approx 12000 pps and it will use approx 10 Mbit/s. If your hardware cant
handle that - set lower netspeed limit.


Please add this server to the CN zone as well:


Please add these servers to the CN zone:

Thank you


Please add this server to the CN pool:


A post was split to a new topic: Slow server support response


I have added some of my server which is located in China.
Should i post them to this thread?




is this a current issue anymore?
If yes, you can add my new servers to the China or Brazil zone (or whatever zone is too weak to support the load).


Yeah. Just add me for wherever its needed.



I think you would get a faster response if you sent an email to server-owner-help (at)


Im pretty sure ask sees it.


Sure, but there are also other people besides Ask who can do this, and they can be reached easiest by email.

And yes, I do think the China zone would still benefit from new servers.


I don’t know if it’s still one of the Pool’s most desperate zones, but Brazil definitely needs more servers. Even a server set to 384 Kbps gets a pretty huge amount of traffic during the times when it’s in the DNS.