Our network monitoring tools are reporting connections to a TOR exit node.
Upon further inspection, the traffic is NTP, and to our surprise, the IP address seems a legit member of the pool, as we see it returned by some dns requests to pool.ntp.org
The IP in question is 192.99.168.180 (vps-a532d6d8.vps.ovh.ca)
I was wondering if that is normal and if you have a policy regarding a NTP server also operating a tor exit node.
Arguably UDP is connectionless, so it’s a bit weird to report a connection at all, but certainly NTP traffic to UDP 123 on an IP that also is a Tor exit node isn’t something I’d be concerned about. It seems to me there’s room for improvement in the network monitoring tools. Tor and NTP are different protocols, and not all uses of Tor are nefarious, even if many/most are.
The only requirement for pool servers is that they respond to NTP queries. Beyond that, the server admin is free to use their server for whatever purpose they want.
I would recommend adjusting the alerts so that NTP traffic to Tor nodes would not raise an alarm.
Thanks for the clarifications, makes sense.
I see now in the search that this is a common concern that has been addressed multiple times, sorry about that.