Our firewall system (Palo Alto Networks NGFW) has a “Known malicious IP addresses” list and we monitor connection attempts to this list. Since yesterday 217.79.189.239 UDP 123 is tried from our clients and servers which are configured to use de.pool.ntp.org - is hermine.deuza.bzh new and are you sure that it is “clean”? Because it is listed in several lists concerning “bad reputation” etc…
Looks like that IP address is used as a Tor exit node. That does not prevent it from being included in the pool. There are probably others as well.
Maybe you could configure your firewall to not alert you of UDP/123 traffic to “suspicious” servers.
1 Like
But perhaps someone could tell deuza42 about it, because it’s not only alerting, but also blocking. And probably not only with our firewall configuration, but with lots of others as well.
That is, quite frankly, your problem. There is a precedent of allowing Tor exit nodes in the pool. Being a Tor exit node is an intentional choice by the server operator. Nobody needs to tell the server operator about the situation.
If you believe you are going to get malicious traffic via UDP/123 when your clients request time from a Tor exit node, perhaps the pool isn’t the right time source for you. Do note that blocking all other traffic besides UDP/123 to/from that server would be perfectly fine. Maybe you could configure your firewall to keep track of outgoing requests, and allow the responses that come from this suspicious server to your client’s IP address + port.
2 Likes
Operators of Tor nodes are well used to clueless people blocking them just because they think a Tor node is bad, or because one of their vendors told them a Tor node is bad, so I don’t think that anyone would be telling deuza42 anything new.
We concern ourselves only with the performance of their NTP service. If you don’t like an IP address you should block it or take other action according to your policies.
2 Likes
The pool consists of about 5,000 NTP servers run entirely by volunteers who serve NTP to the public. They are monitored for accurate time and consistent availability, but that’s all. The pool is only concerned with NTP.
You should probably look at setting up your own corporate NTP servers, rather than relying on public NTP servers run by strangers. See “Additional Notes” at pool.ntp.org: How do I setup NTP to use the pool?
You can use DHCP Option 42 to steer clients to your own NTP servers, although adoption of that is not universal.
1 Like
Thanks for your replies 
. We found a way to exclude such requests from our security alerting. Just thought that you and/or others wanted to know about this in case someone has configured similar alerts.
(we indeed have set up own local NTP servers, but e.g. for our Windows clients which aren’t connected to the internal LAN all the time we configured de.pool.ntp.org as fallback for time.windows.com)