Network Time Protocol (NTP)

What is Network Time Protocol?

Network Time Protocol (NTP) is a networking protocol used to synchronize the clocks of devices on a network, such as computers, servers, and routers. It aligns local device time with reference time sources to reduce clock drift, where a device’s internal clock gradually deviates from accurate time.

How does the Network Time Protocol work?

NTP typically exchanges time information over the User Datagram Protocol (UDP) using port 123, the standard port for NTP traffic.

It uses a hierarchy of time sources called strata. Reference clocks such as atomic clocks or GPS receivers are commonly treated as stratum 0 time sources. Stratum 1 servers connect directly to these reference clocks, and higher-stratum servers receive time from lower-stratum sources and redistribute it to other systems.

To synchronize, a client sends requests to one or more servers. The client and server record timestamps for when the request is sent and received, and when the response is sent and received. NTP uses these timestamps to estimate clock offset and network delay.

NTP typically adjusts the local clock gradually (slewing) rather than making abrupt jumps. It can compare results from multiple servers and filter inconsistent responses to reduce jitter. In client-server deployments, NTP can authenticate time synchronization data using Network Time Security (NTS). How Network Time Protocol syncs time.

Types of NTP setups

NTP supports several deployment models for different network sizes, accuracy requirements, and security constraints:

Client-server: The most common setup. Clients poll designated time servers that synchronize to upstream time sources.
Symmetric peers: Servers poll each other and exchange time information to support mutual synchronization and redundancy.
Broadcast or multicast: A server distributes time to multiple clients without per-client request/response exchanges, though these modes are less common and need careful security controls.
Public pools and internal servers: Organizations may use public NTP pool services or operate internal time servers for controlled access and consistency.

Why is the Network Time Protocol important?

NTP is important because many security and system tools depend on accurate, synchronized time, including:

Transport Layer Security (TLS): To verify that certificates are currently valid.
Time-based or expiring authentication tokens: To confirm the token issue and expiration times.
Kerberos: To validate authentication tickets and enforce clock-skew limits that help prevent replay attacks.
Session timeouts: To enforce inactivity timeouts and reauthentication windows.
Multi-factor authentication (MFA): To verify time-based one-time passcodes.

If system clocks drift, these systems may reject valid credentials, invalidate certificates, or disrupt active sessions. Accurate timekeeping also helps keep security logs in the correct order, supporting auditing and investigations. In distributed systems, it helps services coordinate more reliably and reduces confusion caused by inconsistent timestamps.

Where is the Network Time Protocol used?

NTP runs across many types of systems, including routers, firewalls, and virtual private network (VPN) gateways; cloud infrastructure and container clusters; operating systems and enterprise networks; telecommunications platforms and financial trading systems; and Internet of Things (IoT) devices and industrial control systems.

Risks and privacy concerns

NTP can create security and privacy risks when misconfigured, exposed unnecessarily, or used without authentication and access controls. Because it commonly uses UDP, attackers may be able to spoof or tamper with time responses and shift device clocks, disrupting authentication systems and reducing the reliability of logs.

Public-facing or poorly restricted NTP servers can also be abused in reflected distributed denial-of-service (DDoS) amplification attacks, especially through control or monitoring queries. Replay and packet-manipulation risks can also affect time-synchronization traffic, depending on the deployment mode and protections in use. If an NTP server is compromised or incorrectly configured, it may distribute incorrect time to many clients, potentially affecting large parts of a network.

These risks can be reduced by limiting which systems can query NTP servers, restricting control queries, isolating time infrastructure, and using authentication mechanisms such as NTS in client-server deployments. Broadcast mode should be used only within trusted networks.

FAQ

Is NTP the same as SNTP?

No, Simple Network Time Protocol (SNTP) and Network Time Protocol (NTP) are different. SNTP provides basic time synchronization without the more advanced filtering, server selection, and error-handling features used by full NTP implementations. SNTP is commonly used where simpler timekeeping and lower precision are acceptable.

What does “stratum” mean in NTP?

Stratum indicates how many steps a time source is from the original reference clock. A stratum 1 server connects directly to a primary reference source, such as a GPS clock. Higher stratum numbers receive time from lower-stratum servers.

Can attackers manipulate time via NTP?

Yes. If Network Time Protocol (NTP) traffic is unauthenticated, attackers can spoof time responses or inject false timestamps, causing devices to synchronize to incorrect time. A compromised NTP server can also distribute manipulated time to multiple clients.

What is NTS, and why should I use it?

Network Time Security (NTS) is an extension that adds cryptographic protection to Network Time Protocol (NTP) in client-server deployments. It helps confirm that time data comes from a trusted source and reduces the risk of tampering in transit.

Does a VPN affect NTP time sync?

Not directly. A VPN encrypts and routes network traffic, while Network Time Protocol (NTP) synchronizes system clocks. Using a VPN doesn't change how NTP calculates time offset and delay, although VPN routing and latency can affect network conditions used in those calculations.