I think we have all seen some occasional badly-behaving IP range mass-requesting your server for time. Sometime I ask myself: what if this is not malicious?
You see, when you start a virtual server on some virtual private server site, they usually just make a new KVM and put an image with some basic stuff in. Among the “basic stuff” is, unfortunately, some kind of NTP client pointing to the Linux distribution’s default pool. I can’t say how many such clients can exist in the same datacenter, but it’s probably bad.
And it’s not even necessary! There are plenty of ways for the guest machine to get the host machine’s time (ptp-kvm and the hyperv thing – System time - ArchWiki). A good VPS provider should just have the host machine’s time calibrated right, then put a copy of chrony in the default guest image with a conf file that syncs from the host.
If any VPS provider wants to help fix this, feel free to reply below. I really want my NTP packets to go to fixing people’s times, not times on things that have a closer, more reliable timesource that they are not using.
Alright, so I just came across this post on chrony-users. It looks like Microsoft Azure is almost doing what I want them to do: set up every machine that they start with a copy of chrony which uses a PTP source referenced to the host clock. The only issue here is that they’ve not set the stratum so it defaults to 0, which is dubious. Chrony does mark it as a falseticker when you put in real stratum 1 sources, but my recommendation is that you manually set the stratum based on the reported stratum of the host.
So here’s how I think providers should do:
Get your host’s time synced.
For each “default image” you got, install chrony on it. Remove all the pool sources from it and add a line refclock PHC /dev/ptp0 poll 3 dpoll -2 stratum 3, replacing the stratum 3 with whatever stratum your host usually ends up syncing from plus one.
That’s… it. If your user wants to change it, let them. I think this is the least obstructive way, and given how most people just use one of the pre-baked images (or so I hope!) this should give enough of a traffic reduction.
(You can also use ntpd for syncing from the PTP source, but I’m admittedly just more familiar with chrony.)