In the hope of posting this in the correct category/community.
Crawling my logs recently, i’ve found some strange replies on DNS queries towards X.centos.pool.ntp.org.
Here is one example:
Date/Time 02-05 08:34
Device Time 2020-02-05 08:34:04
Domain Name 0.centos.pool.ntp.org
Event Time 1580888044259527691
IP Address 185.220.101.20,91.202.42.83,185.220.101.0,134.102.201.104
Query ClassIN
Query TypeA
Query Type Value1
Time Stamp 2020-02-05 08:34:08
Time Zone +0100
Transaction ID29530
I’ve matched pretty all my centos boxes getting the same answers (ip addresses in return to the query) between 05.02.2020 and 07.02.2020.
The issue is that the 185.220.101.xx IP’s returned are Tor.Exit.Nodes. Which i thought was, hum, weird.
If anyone could comment or acknowledge any issues @ntp.org DNS wise?
Hi Bas, sure thing it’s understandable that not every Tor-Exit-Node IS bad in the 1st place. It’s more that every automated IDS/IPS/IOCs/SOC/NOC tools will trigger on this…
Thanks for your time, appreciated.
Kind regards,
m.
There’s no laws against running TOR, many people value their privacy…
As long as the time they deliver is correct and reliable, that’s all the pool cares about. If your IDS filters out certain IPs, then hopefully you have your NTP client configured correctly that it will retry another IP. That’s also why NTP can utilize up to 10 sources to provide redundancy against outages and falsetickers.
Also, TOR is TCP only… UDP packets (which NTP uses) are not able to traverse the TOR network.
That particular IP in question was removed to a monitor-only source maybe a week ago after it was discovered a user added a bunch of servers that were obviously not his. The common denominator between them all was they all happened to be running TOR. Likely he pulled a list of active servers, tested them to see if they had NTP open, and went to town adding them.