⚡ What is NTP?
NTP (Network Time Protocol) is a protocol that synchronises the clocks of computers and network devices to a common time source. It runs over UDP port 123 and is one of the oldest protocols still in active use. Accurate time is critical for security logs, authentication systems, SSL/TLS certificates, Kerberos, and forensic investigations — a clock that's even a few minutes off can cause authentication failures and make log correlation impossible.

Why accurate time matters in networking

Time synchronisation sounds like a minor housekeeping task, but it underpins some of the most critical functions in a network. These are the real-world consequences of clocks being out of sync — and the reason the exam treats NTP as a significant protocol:

SystemWhat breaks without accurate time
Kerberos authentication Kerberos tickets are time-stamped and expire — if a device's clock is more than 5 minutes off from the domain controller, authentication fails entirely. This is the most tested NTP consequence on Security+.
SSL / TLS certificates Certificates have valid-from and valid-to timestamps. A device with a wrong clock may reject valid certificates as expired or not-yet-valid.
Security log correlation When investigating an incident across multiple devices, log timestamps must align. A 10-minute clock drift makes it impossible to reconstruct the correct sequence of events.
Scheduled tasks and cron jobs Backups, maintenance windows, and automated jobs run at the wrong time — or not at all — if the system clock is wrong.
Multi-factor authentication TOTP-based MFA (like Google Authenticator) generates codes based on the current time. A device out of sync will generate codes that don't match and MFA will fail.

NTP stratum levels

NTP uses a hierarchical system called stratum levels to describe how far a clock is from a reference time source. Stratum 0 is the most accurate; each level further down introduces a small amount of additional drift.

Stratum 0
Reference clocks — atomic clocks, GPS receivers, radio time signals. These are the ultimate source of truth. They are not on the network directly — they connect to Stratum 1 servers.
Stratum 1
Primary time servers — computers directly connected to a Stratum 0 source. These are the public NTP servers (pool.ntp.org, time.google.com, time.cloudflare.com). Highly accurate, typically within microseconds.
Stratum 2
Secondary servers — sync from Stratum 1. Most enterprise internal NTP servers are Stratum 2. They serve time to internal clients and reduce load on public Stratum 1 servers.
Stratum 3–15
Downstream clients and servers — each level synchronises from the one above. Workstations, switches, and routers typically sit at Stratum 3 or 4. Accuracy decreases slightly at each hop but remains acceptable for network purposes.
⚡ Stratum — what the exam tests

Lower stratum = more accurate. Stratum 0 is the reference source. Stratum 1 is closest to it. A device at Stratum 3 synchronises from a Stratum 2 server, which synchronises from Stratum 1.

The exam may ask: "An NTP server synchronises directly from an atomic clock. What stratum level is it?" → Stratum 1. Or: "Which stratum level represents the most accurate time source?" → Stratum 0 (the reference clock itself, not on the network).

How NTP synchronisation works

NTP doesn't just set the clock once — it continuously monitors drift and makes small adjustments to keep clocks aligned. The protocol measures the round-trip delay to the time server and accounts for it when calculating the correct local time.

NTP synchronisation process
1. Client sends NTP request to server
   Client records: T1 = time request was sent

2. Server receives request, sends response
   Server records: T2 = time request was received
                   T3 = time response was sent

3. Client receives response
   Client records: T4 = time response was received

4. Client calculates offset and delay:
   Round-trip delay = (T4 - T1) - (T3 - T2)
   Clock offset     = ((T2 - T1) + (T3 - T4)) / 2

5. Client adjusts its clock by the offset
   Slewing:  gradual adjustment for small drifts (normal)
   Stepping: immediate jump for large differences (> 128ms default)
📌 NTP vs SNTP

NTP (Network Time Protocol) — full implementation with drift correction, multiple server polling, and statistical filtering. Used on servers and network infrastructure. Accurate to within milliseconds.

SNTP (Simple NTP) — simplified version that uses a single server without drift correction. Used on embedded devices, IoT, and simple clients where full NTP complexity isn't needed. Less accurate but much lighter weight.

Both use UDP port 123. The exam distinguishes them by use case — SNTP for simple/embedded devices, NTP for infrastructure.

NTP in enterprise networks

In a well-designed enterprise network, NTP follows a hierarchy that mirrors the stratum model. Rather than having every device query a public internet NTP server directly — which wastes bandwidth and creates an external dependency — the network designates internal NTP servers that sync from public sources and serve time to everything internally.

Typical enterprise NTP architecture
Internet
    │
    ▼
Public NTP servers  (Stratum 1 — pool.ntp.org, time.google.com)
    │
    ▼
Internal NTP server  (Stratum 2 — domain controller or dedicated server)
    │
    ├── Core switches / routers   (Stratum 3)
    ├── Access layer switches      (Stratum 3)
    ├── Servers                    (Stratum 3)
    └── Workstations               (Stratum 3-4, via domain)

On Windows domain networks, the Primary Domain Controller (PDC) Emulator is typically the internal NTP authority. All domain-joined machines automatically sync their clocks through the domain hierarchy, which is why Kerberos authentication works reliably — every device on the domain shares the same time source.

NTP security risks

NTP is a trusted but often overlooked attack surface. Three NTP-related attacks appear on Security+:

⚠️ NTP amplification attack (DDoS)

NTP has a diagnostic command called monlist that returns a list of the last 600 clients that queried the server. An attacker can send a tiny spoofed request (just 8 bytes) to an NTP server with a victim's IP as the source — the server responds with up to 100× more data directed at the victim. This amplification factor makes NTP one of the most effective DDoS reflection vectors.

Mitigation: Disable the monlist command on NTP servers, restrict NTP to known clients via ACLs, deploy NTPv4 with authentication.

⚠️ NTP spoofing / time poisoning

An attacker on the network sends fake NTP responses to shift a device's clock. If successful, this can expire or invalidate SSL/TLS certificates, cause Kerberos authentication failures, invalidate log timestamps, or cause time-based one-time passwords (TOTP) to fail.

Mitigation: Use NTPv4 with authentication (NTP authentication uses MD5 or SHA keys to verify server identity), restrict NTP sources to trusted internal servers only.

📌 NTP authentication

NTPv4 supports symmetric key authentication — the client and server share a secret key and the server signs its time responses. This prevents an attacker from injecting fake NTP responses because they don't know the key.

On Cisco devices: configured with ntp authenticate and ntp authentication-key commands. The exam may reference this as a hardening step.

Quick reference — NTP facts for the exam

NTP exam reference
Protocol:   NTP (Network Time Protocol)
Port:        UDP 123
Purpose:     Clock synchronisation across network devices

Stratum 0:   Atomic clock / GPS — reference source, not on network
Stratum 1:   Primary server — directly connected to Stratum 0
Stratum 2:   Syncs from Stratum 1 — typical enterprise NTP server
Lower = more accurate  |  Max usable stratum = 15

Kerberos:   Fails if clock skew > 5 minutes — most tested consequence
TOTP/MFA:   Time-based codes fail if clock is wrong
Logs:       Cannot correlate events across devices with different times

SNTP:       Simplified NTP — single server, no drift correction
NTP auth:   MD5 or SHA key — prevents time spoofing

NTP amplification:  monlist command abused for DDoS reflection

Exam scenarios

💬 "Users on a Windows domain are suddenly unable to authenticate. The help desk finds that one workstation's clock is 10 minutes ahead of the domain controller. What is the most likely cause of the authentication failure?" → Kerberos requires clock skew to be within 5 minutes — a 10-minute difference causes authentication tickets to be rejected
💬 "Which protocol synchronises clocks across network devices and uses UDP port 123?" → NTP — Network Time Protocol
💬 "An NTP server synchronises directly from an atomic clock. What stratum level is it?" → Stratum 1
💬 "Which stratum level describes the atomic clocks and GPS receivers that are the ultimate reference time sources?" → Stratum 0
💬 "A security analyst is investigating an incident but finds that log timestamps from different devices don't align. What should be implemented to prevent this?" → NTP — synchronise all devices to a common time source so log timestamps are consistent
💬 "An attacker sends a small spoofed UDP packet to a public NTP server and the victim receives a large flood of traffic in response. What attack is this?" → NTP amplification attack — the attacker exploits the monlist command to amplify traffic toward the victim
💬 "Which simplified version of NTP is used on embedded and IoT devices where full NTP is too resource-intensive?" → SNTP — Simple Network Time Protocol, also uses UDP port 123
💬 "What NTP feature prevents attackers from injecting fake time responses?" → NTP authentication — shared MD5 or SHA keys that the client uses to verify the server's responses are legitimate

Studying for Network+ or Security+?

The study guides, practice exams, and free resources worth your time.

See Study Resources →

Related Articles

What is Kerberos? What is LDAP? What is SNMP? What is DNS? Network+ Cheat Sheet Port Numbers Reference Network Attacks Explained Firewall Basics Explained How to Pass Network+ How to Pass Security+