Usual traffic intensity

maybe a silly question:
is it normal NTP traffic like this?
About 2 GB daily?
It is too much for me.

It depends on your zone config and announced netspeed setting. If your server located in a zone with low server:client ratio then your throughput will be high.
Screenshot 2022-08-02 211818
Above image states the daily average of 4048 outgoing NTP packets per second. If every packet is 100 bytes then the whole daily throughput will be:

100(byte)*4048(packets per second)*86400(second)=34974720000(byte)=32.57274(GB)

If the figure looks horrible to you, feel free to lower your netspeed setting.

The “normal” for me during peak hour on a weekday (Asia, at night) : >100K requests / second.

1 Like

Hi roman,

as the other already saied - yes and it depends on the zone.
What’s your current “speed” setting of your server (ntppool management interface) ? If you set the speed below 1MBit or 768kbit (didn’t remeber it right now) your server will be removed from the global pool.
I would suggest put it to the lowest speed as possible and wait some time. ex: if it’s ok after a week set it to the next higher speed level and wait again.

We have 2 Stratum 1 : The average incoming packets/sec is between 8000 (8k) and 16000 (16k) but with some peaks around 200k/sec.
Without any optional extensions the incoming and outgoing packets are 76 octets in length. => Minimum of 52 GB/ day for 8k/sec.(peak = 1.3 TB/day)
This is not a problem for the ntp server … but can become a problem for the firewall or some limited networks.

Well, ok
I have set connection speed to 10 Mbit and traffic looks like that:

Surprisingly uneven.

can I ask you what software you use for draw such a graph?
Is there any commonly available software that monitors NTP server traffic and saves the data to a file?
I wrote a program as a service (Centos Linux) that reads data from chronyc serverstats and creates a CSV file.
But it would probably be better to use some standard software, but I don’t know of any.

There was a script found from the old ntppool mail list. I modified it and cron every 5 minutes to create data usable for MRTG. (I am too lazy to learn new monitoring tools like RRDtool and Munin… People said there were NTP plugins available for them.) The original site is now defunct so the original message from a backup site follows:
[Pool] Traffic graphs (was: Taking down my NTP server in Turkey)

As alica already said there are “some” tools.
Munin with plugins


you can also user Prometheus, InfluxDB as Datastorage which are feeded by your own scripts (like ntp / chrony stats or iptables/nftables packet counter) and visualized with Grafana.

It depends on how nice your graphs should be :slight_smile: , how much work you will spend to set it up and you want to acquire the stats (just local or via remote push / pull)

Still strange …
What do you think, is this a normal situation or an attempt at DoS?

There are several sources of NTP request bursts, including:

  • Network loops (L2 or L3) at the client
  • Bursts from faulty FortiGate machines.
  • Bursts from systemd-timesyncd
  • bursts from carrier grade NAT resets
    plus others.

Some of these can be distinguished if a packet capture is available.

1 Like

Thank you for comprehensive answer. :slight_smile: