I work in the NOC at an ISP in North Central Iowa. For the last 3 weeks or so, we’ve had a rash of reports of a few different models of Samsung “BD-J” bluray players that pop up with “system time updating.” I have wiresharked with a dynamic IP on a TP-Link router, and then gave the Bluray a static IP straight off our Fiber ONT (No router).
Both wiresharks show the bluray querying “pool.ntp.org.” I’m still kind of learning about all of this. Would that mean that Samsung has that default URL hardcoded into these machines? Thats my guess since it appears the same with/without the tplink, just a change on the source IP.
In any case, if they were using the default, could that cause this problem? I guess I’m not totally sure what kind of problems using “pool.ntp.org” would result in…
Any help is appreciated, as this is effecting many of our customers.
To be more specific, are you seeing that device sending a DNS request for pool.ntp.org (no subdomain)? And then the device sends a NTP request to one of the IP addresses returned? The NTP request should be done over UDP to port 123.
Do you see other traffic than that from that device, such as HTTP(S) requests or ICMP traffic?
From a linux machine on the same network, what’s the output of ntpdate -qvd pool.ntp.org ? We’ve improved the service in mainland China in the last year, but it’s still missing servers inside China. Mostly NTP is China is served from the rest of the world.
As @gfk said, Samsung shouldn’t be using the NTP Pool like that.