Suspicious DNS replies on 0.centos.pool.ntp.org query

Mokaz · February 13, 2020, 2:47pm

Hi there all,

In the hope of posting this in the correct category/community.

Crawling my logs recently, i’ve found some strange replies on DNS queries towards X.centos.pool.ntp.org.
Here is one example:

Date/Time 02-05 08:34
Device Time 2020-02-05 08:34:04
Domain Name 0.centos.pool.ntp.org
Event Time 1580888044259527691
IP Address 185.220.101.20,91.202.42.83,185.220.101.0,134.102.201.104
Query ClassIN
Query TypeA
Query Type Value1
Time Stamp 2020-02-05 08:34:08
Time Zone +0100
Transaction ID29530

I’ve matched pretty all my centos boxes getting the same answers (ip addresses in return to the query) between 05.02.2020 and 07.02.2020.

The issue is that the 185.220.101.xx IP’s returned are Tor.Exit.Nodes. Which i thought was, hum, weird.

If anyone could comment or acknowledge any issues @ntp.org DNS wise?

Thanks,
Regards,
Mokaz

Bas · February 13, 2020, 2:55pm

Why would it be strange?

Most servers use by default ntp-pool servers.
An Tor-Exit-node is also a server, so if it queries the pool for time, it will show up in your logs.

It’s not because it’s an exit-node that it doesn’t use time or asks the pool for time.

I shouldn’t seek anything behind it.

Mokaz · February 13, 2020, 2:57pm

Hi Bas, sure thing it’s understandable that not every Tor-Exit-Node IS bad in the 1st place. It’s more that every automated IDS/IPS/IOCs/SOC/NOC tools will trigger on this…

Thanks for your time, appreciated.
Kind regards,
m.

Bas · February 13, 2020, 3:01pm

I understand that F-secure etc will trigger on it.
Just tell them that port 123 shouldn’t be checked for source.
Then it won’t trigger anything.

And if you are worried over an attack, then change the trigger to e.g. 10 times a minute on same ip.
As an NTP-client doesn’t come that often.

To me it looks like false positives.

littlejason99 · February 13, 2020, 10:01pm

There’s no laws against running TOR, many people value their privacy…

As long as the time they deliver is correct and reliable, that’s all the pool cares about. If your IDS filters out certain IPs, then hopefully you have your NTP client configured correctly that it will retry another IP. That’s also why NTP can utilize up to 10 sources to provide redundancy against outages and falsetickers.

Also, TOR is TCP only… UDP packets (which NTP uses) are not able to traverse the TOR network.

That particular IP in question was removed to a monitor-only source maybe a week ago after it was discovered a user added a bunch of servers that were obviously not his. The common denominator between them all was they all happened to be running TOR. Likely he pulled a list of active servers, tested them to see if they had NTP open, and went to town adding them.

NTPman · February 14, 2020, 7:38am

If a user claims that the server is his own, we should have an automatic verification mechanism in place to verify this claim.

littlejason99 · February 14, 2020, 1:14pm

I agree, and there is discussion in the works about how to tackle this particular problem.

Thankfully though, abuse from people adding servers that aren’t their own is few & far between.

NTPman · February 14, 2020, 2:08pm

Yes, we already discussed this a lot:
https://community.ntppool.org/t/verification-step-to-add-a-server/