Suspicious DNS replies on 0.centos.pool.ntp.org query

Hi there all,

In the hope of posting this in the correct category/community.

Crawling my logs recently, i’ve found some strange replies on DNS queries towards X.centos.pool.ntp.org.
Here is one example:

Date/Time 02-05 08:34
Device Time 2020-02-05 08:34:04
Domain Name 0.centos.pool.ntp.org
Event Time 1580888044259527691
IP Address 185.220.101.20,91.202.42.83,185.220.101.0,134.102.201.104
Query ClassIN
Query TypeA
Query Type Value1
Time Stamp 2020-02-05 08:34:08
Time Zone +0100
Transaction ID29530

I’ve matched pretty all my centos boxes getting the same answers (ip addresses in return to the query) between 05.02.2020 and 07.02.2020.

The issue is that the 185.220.101.xx IP’s returned are Tor.Exit.Nodes. Which i thought was, hum, weird.

If anyone could comment or acknowledge any issues @ntp.org DNS wise?

Thanks,
Regards,
Mokaz

Why would it be strange?

Most servers use by default ntp-pool servers.
An Tor-Exit-node is also a server, so if it queries the pool for time, it will show up in your logs.

It’s not because it’s an exit-node that it doesn’t use time or asks the pool for time.

I shouldn’t seek anything behind it.

Hi Bas, sure thing it’s understandable that not every Tor-Exit-Node IS bad in the 1st place. It’s more that every automated IDS/IPS/IOCs/SOC/NOC tools will trigger on this…

Thanks for your time, appreciated.
Kind regards,
m.

I understand that F-secure etc will trigger on it.
Just tell them that port 123 shouldn’t be checked for source.
Then it won’t trigger anything.

And if you are worried over an attack, then change the trigger to e.g. 10 times a minute on same ip.
As an NTP-client doesn’t come that often.

To me it looks like false positives.

There’s no laws against running TOR, many people value their privacy…

As long as the time they deliver is correct and reliable, that’s all the pool cares about. If your IDS filters out certain IPs, then hopefully you have your NTP client configured correctly that it will retry another IP. That’s also why NTP can utilize up to 10 sources to provide redundancy against outages and falsetickers.

Also, TOR is TCP only… UDP packets (which NTP uses) are not able to traverse the TOR network.

That particular IP in question was removed to a monitor-only source maybe a week ago after it was discovered a user added a bunch of servers that were obviously not his. The common denominator between them all was they all happened to be running TOR. Likely he pulled a list of active servers, tested them to see if they had NTP open, and went to town adding them.

1 Like

If a user claims that the server is his own, we should have an automatic verification mechanism in place to verify this claim.

I agree, and there is discussion in the works about how to tackle this particular problem.

Thankfully though, abuse from people adding servers that aren’t their own is few & far between.

Yes, we already discussed this a lot:
https://community.ntppool.org/t/verification-step-to-add-a-server/