dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3404
share rss forum feed

pitpro

join:2003-12-31
Winnetka, IL

[Connectivity] Why is Comcast blocking all NTP Time servers?

Real nice! Last 2 days can't sync my time.
What the hell is going on?
What's the reason for this?
My time needs to be synced exactly
for software I use.
&^%$#&*%(


voiptalk

join:2010-04-10
Gainesville, VA

[Connectivity] Re: Why is Comcast blocking all NTP Time servers?

Well, I'm currently syncing to 3. So, Comcast is not "blocking all NTP Time servers".

How about some specifics.

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+mxfwd1.rollerne 198.60.73.8      2 u   73 1024  377   99.600    4.640   2.945
*2610:20:6f15:15 .ACTS.           1 u 1002 1024  377   19.876   -1.217   1.716
+you.dontlike.us 128.59.59.177    3 u  723 1024  377   20.460   -1.395   2.720
 

pitpro

join:2003-12-31
Winnetka, IL

I've been doing this for 10 years the same way.
All these are BLOCKED.
I have an SBG6580 that I noticed is having issues
I just started reading the thread on. Is this the cause?
The 6580 firewall is not set to block anything
navobs1.wustl.edu
tick.uh.edu
ntp.your.org
time-c.nist.gov
time-a.nist.gov
tick.usno.navy.mil


BK3

join:2001-04-10
Geneva, IL

1 recommendation

reply to pitpro

I use us.pool.ntp.org, and it is not blocked.


pitpro

join:2003-12-31
Winnetka, IL

It is on my connection.
On all my machines.
If I switch over to At&T DSL backup I have they all work fine.



mediaguy
Politically Incorrect
Premium
join:2014-01-22
Guitar Town
reply to pitpro

A tracert to those servers would show us where you're 'blocked' - perhaps that would give us all some info to help you with.


mike34
Premium
join:2004-07-17
Central City, PA
reply to pitpro

»tf.nist.gov/tf-cgi/servers.cgi


pitpro

join:2003-12-31
Winnetka, IL
reply to pitpro

You know I noticed that the firmware was changed on my SBG6580 recently.
The whole GUI is completely different.
Firewall is set to LOW
No Services are Restricted.
Any guesses what's happening here?


pitpro

join:2003-12-31
Winnetka, IL
reply to mediaguy

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\>tracert pool.ntp.org

Tracing route to pool.ntp.org [212.26.18.41]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.0.1
2 9 ms 8 ms 8 ms 69.243.144.1
3 8 ms 9 ms 9 ms te-0-7-0-12-sur04.mortongrove.il.chicago.comcast
.net [69.139.233.237]
4 12 ms 12 ms 11 ms te-2-2-0-0-ar01.area4.il.chicago.comcast.net [68
.87.230.65]
5 12 ms 12 ms 11 ms he-3-8-0-0-cr01.350ecermak.il.ibone.comcast.net
[68.86.90.49]
6 * 80 ms 78 ms 66.208.229.126
7 178 ms 176 ms 175 ms vl-3609-ve-233.ebr2.Chicago2.Level3.net [4.69.15
8.226]
8 170 ms 172 ms 172 ms ae-6-6.ebr2.Washington12.Level3.net [4.69.148.14
5]
9 178 ms 190 ms 175 ms ae-46-46.ebr2.Washington1.Level3.net [4.69.202.5
3]
10 177 ms 187 ms 179 ms ae-44-44.ebr2.Paris1.Level3.net [4.69.137.61]
11 * * * Request timed out.
12 222 ms 228 ms 241 ms time1.isu.net.sa [212.26.18.41]

Trace complete.


pitpro

join:2003-12-31
Winnetka, IL

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\>tracert time-a.nist.gov

Tracing route to time-a.nist.gov [129.6.15.28]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.0.1
2 8 ms 9 ms 9 ms 69.243.144.1
3 9 ms 9 ms 9 ms te-0-7-0-12-sur04.mortongrove.il.chicago.comcast
.net [69.139.233.237]
4 12 ms 12 ms 15 ms te-2-2-0-1-ar01.area4.il.chicago.comcast.net [68
.86.189.1]
5 12 ms 11 ms 11 ms he-3-8-0-0-cr01.350ecermak.il.ibone.comcast.net
[68.86.90.49]
6 11 ms 10 ms 10 ms he-0-10-0-0-pe04.350ecermak.il.ibone.comcast.net
[68.86.83.50]
7 18 ms * 13 ms 173.167.58.138
8 31 ms 63 ms 33 ms 0.xe-10-0-0.XL4.TCO4.ALTER.NET [152.63.32.130]
9 31 ms 31 ms 31 ms POS7-0-0.GW5.TCO4.ALTER.NET [152.63.40.169]
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.


pitpro

join:2003-12-31
Winnetka, IL
reply to pitpro

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\>tracert tick.usno.navy.mil

Tracing route to tick.usno.navy.mil [192.5.41.40]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.0.1
2 10 ms 8 ms 9 ms 69.243.144.1
3 9 ms 9 ms 9 ms te-0-7-0-12-sur04.mortongrove.il.chicago.comcast
.net [69.139.233.237]
4 10 ms 12 ms 15 ms te-2-2-0-0-ar01.area4.il.chicago.comcast.net [68
.87.230.65]
5 12 ms 11 ms 11 ms he-3-7-0-0-cr01.350ecermak.il.ibone.comcast.net
[68.86.90.53]
6 10 ms 10 ms 10 ms he-0-12-0-1-pe04.350ecermak.il.ibone.comcast.net
[68.86.83.166]
7 * * 18 ms chp-edge-01.inet.qwest.net [216.207.8.189]
8 33 ms 30 ms 27 ms 208.46.37.38
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.



train_wreck

join:2013-10-04
Antioch, TN
Reviews:
·Comcast
reply to pitpro

idk, seems up & responding to NTP requests normally for me

[root@hostname /]# ntpdate -q 212.26.18.41
server 212.26.18.41, stratum 1, offset -0.005707, delay 0.23285
11 Mar 21:18:15 ntpdate[16188]: adjust time server 212.26.18.41 offset -0.005707 sec
 

and resulting traffic

21:18:08.951286 IP 172.16.16.2.40185 > 212.26.18.41.123: UDP, length 48
21:18:09.159152 IP 212.26.18.41.123 > 172.16.16.2.40185: UDP, length 48
21:18:11.151414 IP 172.16.16.2.40185 > 212.26.18.41.123: UDP, length 48
21:18:13.151592 IP 172.16.16.2.40185 > 212.26.18.41.123: UDP, length 48
21:18:13.361508 IP 212.26.18.41.123 > 172.16.16.2.40185: UDP, length 48
21:18:15.351811 IP 172.16.16.2.40185 > 212.26.18.41.123: UDP, length 48
21:18:15.558974 IP 212.26.18.41.123 > 172.16.16.2.40185: UDP, length 48
 

didn't try the other ones.

EDIT and also, they may not be configured to respond to pings, but nevertheless may still be up

biomesh
Premium
join:2006-07-08
Tomball, TX
reply to pitpro

You should really use one of the NTP pool DNS names. Only one NTP server on your list is truly an open access NTP server with no restrictions.

I know it doesn't help your problem unless the pool addresses do work.


pitpro

join:2003-12-31
Winnetka, IL
reply to pitpro

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\>tracert tick.uh.edu

Tracing route to tick.uh.edu [129.7.1.66]
over a maximum of 30 hops:

1


pitpro

join:2003-12-31
Winnetka, IL

Now I just switched over to my DSL
Let's see if there's a difference in tracert.
As I said earlier the SP Time Sync I use works perfectly
on the DSL line also. Not at all on Comcast connection.
Same computer.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\>tracert pool.ntp.org

Tracing route to pool.ntp.org [198.199.111.124]
over a maximum of 30 hops:

1



XCOM
digitalnUll
Premium
join:2002-06-10
Spring, TX
reply to pitpro

No issues here using us pool.


pitpro

join:2003-12-31
Winnetka, IL

The issue is here.


pitpro

join:2003-12-31
Winnetka, IL

Could it be the SBG6580 modem?


Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
reply to pitpro

No NTP issues here. How about trying WITHOUT your firewall? Or a different one?



mediaguy
Politically Incorrect
Premium
join:2014-01-22
Guitar Town
reply to pitpro

Just checking 3 of the URL's you listed (from a Comcast Biz account in Nashville):

1. tick.uh.edu drops out AFTER it hits the uh.edu network

2. time-a.nist.gov is listed by nist as "All services busy, not recommended"

3. navobs1.wustl.edu is resolving and reachable for me at this time.

Of those 3, the 2 points of failure are beyond the Comcast network, and are therefore not "Comcast blocking all NTP Time servers".


pitpro

join:2003-12-31
Winnetka, IL

Well mediaguy I thought you wanted the tracert to "help"
I guess you wanted it to argue.
So what do you call it when my At&T line
gets the timesync from all of them perfectly and
the Comcast line can't get any of them?
Could the new firmware Comcast pushed to my
6580 be the cause? Cuz it's not the computer.
It's not the timesync software. It's not At&t.
So why exactly would you say it won't work on
the Comcast connection? I have not touched
my firewall, my router settings, anything in the modem gui
in a month. But there was a firmware upgrade
sometime recently. Either their firmware is Blocking it,
or somewhere else it's being Blocked. But my
failover dsl gets it fine every time by flipping a switch
and resetting the connection.


pitpro

join:2003-12-31
Winnetka, IL

and yes, i tried it with the firewall turned off.
no joy



mb

join:2000-07-23
Washington, NJ
Reviews:
·Comcast
·Verizon Online DSL
reply to pitpro

When I run a trace to time-a-nist.gov from my Comcast account I get an error message from alter.net that the destination net is unreachable. See hop 13 below. That takes Comcast out of the equation.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Mark>tracert time-a.nist.gov

Tracing route to time-a.nist.gov [129.6.15.28]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms RT-N66U [192.168.1.1]
2 26 ms 60 ms 28 ms xx.y.zzz.1
3 9 ms 9 ms 8 ms te-1-2-ur01.portmurray.nj.panjde.comcast.net [68.85.152.153]
4 10 ms 12 ms 11 ms xe-16-1-2-0-ar03.plainfield.nj.panjde.comcast.net [68.86.210.1]
5 14 ms 15 ms 11 ms 68.86.91.201
6 12 ms 13 ms 13 ms he-0-10-0-0-pe03.111eighthave.ny.ibone.comcast.net [68.86.83.90]
7 12 ms 13 ms 11 ms n-a.GW13.NYC1.ALTER.NET [152.179.220.125]
8 17 ms 17 ms 49 ms 0.xe-10-0-0.XL4.TCO4.ALTER.NET [152.63.32.130]
9 18 ms 18 ms 33 ms POS7-0-0.GW5.TCO4.ALTER.NET [152.63.40.169]
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 nist-gw.customer.alter.net [157.130.31.218] reports: Destination net unreachable.

Trace complete.

C:\Users\Mark>
--
"When will they ever learn? When will they ever learn?"
Pete Seeger 1961



guhuna
5149.5
Premium
join:2001-03-31
Clayton, CA
reply to pitpro

Re: [Connectivity] Why is Comcast blocking all NTP Time servers?

I just synced using time.sonic.net NTP server just fine.


n_w95482
Premium
join:2005-08-03
Ukiah, CA
reply to pitpro

Interesting, I seem to be having a similar issue. Only one of the default time servers in Windows 8.1 is working for me: time-a.nist.gov. All of the others time out, including the one I normally use (us.pool.ntp.org).

I have us.pool.ntp.org set in my router as well. It successfully sync'ed when I rebooted it 11 days ago. I just rebooted it and it took about 7 minutes to get the time. Normally it's under 30 seconds.

Edit: After I posted this, all of them worked for a few seconds. Now all of them are timing out. Occasionally one or two will respond for a few seconds, then time out again. I wonder if they're being very sensitive to the amount of queries coming from the same IP.
--
KI6RIT



train_wreck

join:2013-10-04
Antioch, TN
Reviews:
·Comcast

said by n_w95482:

Interesting, I seem to be having a similar issue. Only one of the default time servers in Windows 8.1 is working for me: time-a.nist.gov. All of the others time out, including the one I normally use (us.pool.ntp.org).

I have us.pool.ntp.org set in my router as well. It successfully sync'ed when I rebooted it 11 days ago. I just rebooted it and it took about 7 minutes to get the time. Normally it's under 30 seconds.

Edit: After I posted this, all of them worked for a few seconds. Now all of them are timing out. Occasionally one or two will respond for a few seconds, then time out again. I wonder if they're being very sensitive to the amount of queries coming from the same IP.

odd. not having issues here. you and the OP are in quite different areas of the country, so doesn't seem on surface to be geographically related.

[root@hotname /]# ntpdate -q us.pool.ntp.org
server 216.119.157.44, stratum 2, offset 0.000274, delay 0.04335
server 50.22.155.163, stratum 2, offset 0.001701, delay 0.10254
server 97.107.134.213, stratum 2, offset -0.004028, delay 0.06592
server 204.2.134.164, stratum 3, offset 0.000309, delay 0.10257
12 Mar 01:44:04 ntpdate[28126]: adjust time server 216.119.157.44 offset 0.000274 sec
 

took about 6-8 seconds to query all 4 resolved addresses from here.


tshirt
Premium,MVM
join:2004-07-11
Snohomish, WA
kudos:4
Reviews:
·Comcast

1 recommendation

reply to n_w95482

said by n_w95482:

I wonder if they're being very sensitive to the amount of queries coming from the same IP.

Yes if they receive more than one request every 4 seconds per IP that IP's requests will be ignored. multiple occurrences MAY cause the IP to be marked as a DOS attempts (IP may be blocked????).
Info is at NIST »tf.nist.gov/tf-cgi/servers.cgi which mike34 See Profile tried to steer the OP too, early on in the thread. that page also shows status and several on the OP's list were down or busy.

time.nist.gov is the preferred address

n_w95482
Premium
join:2005-08-03
Ukiah, CA

1 edit

Figures the NIST servers I was quering are busy right now, hehe. I did cycle through the list slowly and still got timeouts most of the time. time-c and time-d.nist.gov did work the first time though. time.sonic.net is hit or miss.

I ran Wireshark while doing the queries and the only thing I see when it doesn't work are either a single client query and no response, or client/server/client and nothing afterwards. It worked when there was a single client/server pair though.

Oh well, in my case it eventually worked, so at this point it's just curiosity for me. I may be doing more harm than good so I'm going to stop for now.

Edit: I can barely pick up the 10 MHz WWV broadcast on my radio, so I could use that as well .
--
KI6RIT



jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

reply to biomesh

Re: [Connectivity] Re: Why is Comcast blocking all NTP Time servers?

said by biomesh:

You should really use one of the NTP pool DNS names. Only one NTP server on your list is truly an open access NTP server with no restrictions.

I know it doesn't help your problem unless the pool addresses do work.

That may help. Also I expect many NTP servers are applying more access controls due to the increase in massive new NTP attacks like this 400G+ attack a few weeks ago: »blog.cloudflare.com/technical-de···s-attack
--
JL
Comcast


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2
reply to mediaguy

said by mediaguy:

Just checking 3 of the URL's you listed (from a Comcast Biz account in Nashville):

1. tick.uh.edu drops out AFTER it hits the uh.edu network

2. time-a.nist.gov is listed by nist as "All services busy, not recommended"

3. navobs1.wustl.edu is resolving and reachable for me at this time.

Of those 3, the 2 points of failure are beyond the Comcast network, and are therefore not "Comcast blocking all NTP Time servers".

Good observations. While we're keeping an eye on NTP as a result of recent attacks, we're not blocking it (as numerous posts here factually demonstrate). I suspect this is more related to the recent spate of NTP attacks and folks that operate NTP trying to get more secure, but not certain.
--
JL
Comcast