Hello, Several systems on my network are attempting to connect via port 123 to servers in foreign countries. I’m attempting to determine if this is malicious traffic or expected behavior.
Will #.us.pool.ntp.org ever resolve to an NTP server outside of the US?
i.e. if I configure my system to use us.pool.ntp.org, may I then assume that system should no longer attempt to connect to foreign countries on port 123 - unless it has been compromised?
Thx
Hi, no I wouldn’t assume that. The pool works on a hierarchy of country → continent → world with a preference for geographically close servers. To spread the load it supplies results from all three levels. Sometimes the IP → geo location lookup service gives incorrect results too.
NTP daemons are designed to sanity check and average the data from the servers, so unless a majority give malicious results AND the initial local hardware clock in your device was close to incorrect time from those servers the daemon will most likely ignore them anyway.
If you’ve got many devices on your network it would be friendly to set up a device or two to sync from the pool and sync your network devices to those servers. There’s some guidance here: pool.ntp.org: How do I setup NTP to use the pool?