Port 123 carries NTP traffic. The Network Time Protocol. Every time your computer checks the time against a server, that question and answer flow through port 123. Billions of devices, constantly asking: what time is it?
This is not a trivial question. The Internet runs on timestamps. Your bank needs to know which transaction came first. Your SSL certificate needs to prove it has not expired. Your distributed database needs to agree on the order of operations. The logs that investigators will examine need to tell a coherent story.
Without synchronized time, the Internet would not merely be inconvenient. It would be incoherent.
The Problem of Drifting Clocks
In 1977, David Mills was working at COMSAT, a satellite corporation in Washington, D.C. He had studied how clocks in power grids could wander several seconds over a hot summer's day. Now he faced a different problem: the ARPANET.1
The early Internet was a handful of computers at universities and research labs, trading data across phone lines. But these machines did not share a common sense of time. Each had its own clock, and clocks drift. A quartz crystal oscillates at a rate that depends on temperature, voltage, age. Left alone, a computer's clock will wander. Minutes per month. Sometimes more.
This created a problem that seems abstract until you consider the consequences. If Machine A says an event happened at 10:00:00 and Machine B says it happened at 10:00:47, which one is right? When you are debugging a distributed system at 3am, trying to understand why a transaction failed, the answer matters enormously.
Mills saw that the growing network of interconnected computers needed to agree on time. So he built a protocol to make them agree.2
How NTP Works
NTP runs over UDP on port 123. A client sends a small packet to a server, and the server responds with its current time. But the clever part is not the exchange. The clever part is the math.3
The client records four timestamps:
- T1: When the client sent the request
- T2: When the server received it
- T3: When the server sent its response
- T4: When the client received it
From these four numbers, NTP calculates two values:
- Round-trip delay: (T4 - T1) - (T3 - T2)
- Clock offset: ((T2 - T1) + (T3 - T4)) / 2
The offset tells the client how far its clock is from the server's. The delay tells it how much uncertainty exists in that measurement. NTP uses these calculations to gradually adjust the local clock, not by jumping to the correct time (which would break applications expecting time to flow forward) but by speeding up or slowing down the clock's tick rate until it converges on the truth.
Over the public Internet, NTP typically achieves accuracy within tens of milliseconds. On a local network, it can reach better than one millisecond.4
The Stratum Hierarchy
NTP organizes time sources into layers called strata.5
Stratum 0 devices are the high priests of timekeeping: atomic clocks, GPS receivers, radio clocks synchronized to national time standards. These devices do not connect to networks directly. They are too precious, too accurate. Instead, they feed their time to computers that do.
Stratum 1 servers connect directly to Stratum 0 devices. Their clocks are synchronized to within microseconds of the reference. These are the primary time servers, the sources of truth. Universities, national laboratories, and large corporations run Stratum 1 servers.
Stratum 2 servers synchronize to Stratum 1. Stratum 3 synchronizes to Stratum 2. And so on, down to Stratum 15. Each layer adds a small amount of uncertainty, like a game of telephone where the message stays mostly intact.
Stratum 16 means unsynchronized. A machine that has just booted, before it has talked to any time server, sits at Stratum 16. It does not know what time it is.
Mills had a gift for naming things. He called reliable clocks "truechimers" and unreliable ones "falsetickers."6 He saw them as creatures with personalities.
The Scale of It
The NTP Pool Project is a volunteer-run network of time servers that serves as the default time source for most Linux distributions and countless networked devices.7 As of 2025, it operates over 3,400 servers on IPv4 and 1,900 on IPv6.
It serves billions of clients. Your phone. Your router. Your smart thermostat. Your car.
This is the remarkable thing about NTP: it is everywhere, and almost no one knows it exists. The protocol hums along beneath everything, quietly keeping the Internet synchronized. Once configured, a device will check the time about once every ten minutes, requiring only a single packet exchange.8 The overhead is tiny. The benefit is foundational.
Security: The Amplification Problem
In 2013, attackers discovered that NTP could be weaponized.9
The protocol included a debugging command called monlist that would return information about the last 600 clients that had contacted the server. A single 8-byte request could generate a response 556 times larger. This is called an amplification attack.
The attacker sends a monlist request to a vulnerable NTP server with a spoofed source address, the victim's IP address. The server sends its large response to the victim. Multiply this across thousands of vulnerable servers, and you can generate traffic measured in hundreds of gigabits per second.10
The 2013 Spamhaus attack exceeded 300 Gbps. Later attacks using NTP amplification surpassed 2 Tbps.
The fix was simple: disable monlist by default. NTP version 4.2.7 and later do this automatically.11 But the incident revealed a recurring truth about old protocols: features designed for debugging in a trusting environment become weapons when the environment turns hostile.
The Leap Second Problem
The Earth's rotation is slowing. Not by much, perhaps two milliseconds per century, but it adds up. To keep civil time synchronized with the planet's actual position, the International Earth Rotation Service occasionally adds a leap second to UTC.12
For humans, this is imperceptible. For computers, it is a crisis.
Software expects time to move forward continuously. A clock that goes from 23:59:59 to 23:59:60 before reaching 00:00:00 can break applications that were not designed for a 61-second minute. The workarounds are inelegant: some systems "smear" the leap second across several hours, adjusting the clock by tiny fractions to avoid the discontinuity.13
NTP handles leap seconds by including a flag in its packets warning of an upcoming insertion. But the flag is only useful if the software receiving it knows what to do with the information.
Related Protocols
SNTP (Simple Network Time Protocol) uses the same packet format and port as NTP but lacks its sophisticated algorithms for filtering jitter, analyzing drift, and cross-referencing multiple sources.14 SNTP is for devices that need "good enough" time without the overhead. IoT sensors. Embedded systems. Devices that cannot afford the memory for a full NTP implementation.
PTP (Precision Time Protocol), on port 319/320, achieves sub-microsecond accuracy but requires specialized hardware. Financial trading systems and telecommunications networks use PTP when NTP is not precise enough.
Chrony is a modern NTP implementation that handles intermittent network connections better than the reference implementation. It has become the default on many Linux distributions.
Why This Port Matters
Consider what depends on synchronized time:
Financial transactions must be ordered correctly. On a stock exchange, a millisecond determines which trade executes first. Disputes over transaction ordering can involve millions of dollars.15
SSL/TLS certificates have validity periods. If your clock is wrong, valid certificates appear expired and expired certificates appear valid. Authentication fails. Connections drop. The secure web stops working.16
Distributed databases need to agree on the order of operations. Cassandra, CockroachDB, Spanner—all depend on synchronized clocks to maintain consistency. Google's Spanner even uses atomic clocks and GPS receivers in its data centers because network time is not precise enough.17
Log correlation during security incidents requires accurate timestamps. When you are reconstructing an attack that bounced through five different systems, the timestamps need to tell a coherent story.
Kerberos authentication uses time as part of its replay attack prevention. Tickets are only valid within a window, typically five minutes. If clocks drift beyond that window, authentication fails.
Every one of these systems assumes that computers can agree on what time it is. That assumption rests on NTP. On port 123. On packets flowing constantly, invisibly, asking and answering the most basic question.
The Man Who Gave the Internet Its Heartbeat
David Mills worked on NTP for over four decades. He refined the algorithms from tens of milliseconds to microseconds. He wrote 28 RFCs. He invented the "fuzzball" routers that ran the early NSFNET. He inspired the author of ping.
He did this while going blind. By the end of his career, he could not see the code he was writing. He dictated it to students and colleagues, holding the entire architecture in his head.18
Mills died on January 17, 2024. He was 85 years old.19
The protocol he created continues to run on billions of devices. It is the default time source for most of the world's computers. It has been operating continuously since before 1985, making it one of the oldest Internet protocols still in production use.
Every timestamp that will ever matter—the moment a stock was traded, the second a certificate was issued, the instant a crime was committed on a networked system—traces back to NTP. To port 123. To a man who saw that the Internet needed a heartbeat and spent his life making sure it kept beating.
Frequently Asked Questions
Was this page helpful?