I was browsing the main site and came across a note (on the vendor page I believe) that said the Pool currently serves between 5-15 million systems. I think that number is grossly underestimated… On my server alone (Pool Settings: 100Mb / US) I will see anywhere between 1-2 million unique IPs per day…
Pool DNS shows around 30,000 queries per second… Assume 1/3 would be full NTP clients with the standard 4 pool config lines (rest would be more basic SNTP clients making single requests), would calculate (guessing) around 22,500 unique IPs per second, round down to 20k figuring some have to be bad queries or redundant, and you still get 72 million per hour… Who knows per day… Would have to figure some get power cycled, or re-query a few times for fresh pool servers, or if it’s just an hourly cron job to update time, etc…
Would be interesting to do some logging on the DNS server to figure out unique IPs (and possibly also geo-tagging to group by country). I bet too numbers could be aggregated on the vendor zones to see who are the top users.
I wonder how much NTP traffic Microsoft, Google, and NIST get too…
It would be fun to have some opt-in statistics that each operator could run and contribute data to a central repository to better estimate the traffic (and sooner catch abnormalities like the snapchat incident some years ago).
I’m pretty sure we well surpassed the NIST servers about a decade ago.
Ah yes, I keep forgetting it’s on github, I’ll look over everything and see what I can make sense of…
I’m also curious more about the DNS system which I hope the code is in there… Even though I’m in the US, I get a LOT of traffic from Asia (mostly China)… Due to distance you would think Europe would get any Asia overflow as you would kind of want to group clients & servers as close as physically possible (without overloading a pool).
I re-enabled logging on my server yesterday and here’s some stats over the past ~24 hours… (US Pool, 100Mb Setting)…
Here’s the top 25 countries sorted by # of unique IPs, they represent about 97% of all the queries.
Interesting to see how Canada & China have about the same # of unique IPs, yet China is making about 10x more requests… China also seems to be behaving decently these past 24 hours… There is usually at least a couple times a week I’ll get bombarded from there for brief periods, either spoofed requests or the great firewall going nuts, or something.
Also interesting to see how many queries come from Europe, when their pool is almost 3x larger than NA???
Allowed/Dropped is based on firewall rulesets, hashlimit allows each unique IP a burst of 10 packets + 6/min, anything beyond that rate is dropped.
Eastern Asia is closer to the US than to Europe. Mostly Asia is just plain underserved though with most countries having many more clients than servers. The same is true for many countries in Europe and some in North America.
Counting clients on the global scale seems difficult, but I think it should be at least possible to estimate the total amount of NTP traffic.
We just need some data for at least one NTP server in each country zone. We need the average packet rate (e.g. over day or week) and the speed setting. From the distribution of servers in DNS responses we can estimate the average speed setting for that zone and the total amount of NTP traffic.
I was able to do that for a small number of zones for which I have my own data or found information from other people here. For example, in the US zone there seems to be about 400000 requests per second. I was expecting more.
If you are willing to share data for servers in other zones, I can add it to the table. I need the average observed request rate separately for IPv4/IPv6 and speed setting. I may also need the IP address if no server in the zone is using the maximum speed (1Gb), or the number of servers is so small that the speed setting has little effect, which I assume is a common case in the underserved zones. The server should be in just one country zone (not helping other zones).
Interesting chart… Looking at my traffic graph, my 100Mb US IPv4 server is showing an average of about 370 p/s, so that’s right in line at 1/10th your 1Gb server. I would say the load balancing algorithm is working pretty good, lol.
How did you determine average server speed for the various zones?
By observing how frequently are specific servers returned by the pool DNS server. If a 1Gb server in the US zone is returned in about 0.95% of DNS responses and there are 527 servers, the average speed should be 1000Mb/0.95%/527 = 200 Mb.
I’m not sure how accurate these numbers really are. I hope they are good to at least an order of magnitude.
No wonder use of obsolete NTP and SNTP is common. AFAIK Windows and Android all implemented version 3 of (S)NTP as their time service. Feel free to block them all with version if you are not willing to support obsoleted NTP versions…
I’m pretty sure the real number of systems is indeed much higher that what’s estimated. I easily receive 100.000-150.000 queries per second on my systems. Sometimes more. Mostly from China. I’m not sure how many misbehaving clients there are, but even if only 10% behaves nicely and doesn’t visit me more than once every 30 minutes or so, this would still account for hundreds of millions of systems. And that would make sense too. There is an increasing amount of embedded devices, like IP cameras, Zigbee hubs and what have you? Many of them communicating to the pool. So yes, I think 5-15 million systems is indeed grossly underestimated
Remember that load differs regionally, and load on servers in the China zone can be quite high compared to elsewhere. You can’t infer the load on the entire pool based on what you’re seeing from China.
That doesn’t really matter, because even if I would count only China, and only the traffic I receive on my servers, the pool would already serve more than the estimated 5-15 million devices. Assuming I am doing the math right.
Looking at the DNS traffic is not a good way of measuring the load. The TTL of the pool’s DNS answers is 150 seconds. One large Chinese ISP could send DNS-replies for, say, asia.pool.ntp.org to thousands of embedded devices during that timeframe, while it would only be counted as one DNS-request.
Also, counting unique IP’s is not enough either. In my home there are Zigbee hubs, Raspberry Pi’s, Linux-laptops and more. All connecting to the pool directly (and in the case of IPv4 all from 1 source IP address because of NAT). My other internet connection is behind Carrier Grade NAT, making things even worse. Imagine; entire streets making NTP requests to the pool from just 1 GNAT IPv4 address.
I was intending my observation to be a more general one - i.e. that you can’t infer global userbase size from regional data.
You’ll need to get server data to really answer that question properly (and even then, given it’s stateless UDP, clients behind NAT are a thing, etc, you’ll never be able to get an exact number), but whatever the true number, it’s likely to be a lot higher than 15 million. As an example - my server has seen queries from over 180 million unique IPv4 addresses in the last six months. Some of those will probably be spoofed, but it gives an idea of just how much larger the true number of clients is likely to be.