As I was going through my network last night, my UniFi gateway showed some “risky” destinations that had been contacted from my network. When I took a look, my EXAv and EDAv both had our default extrahop.pool.ntp.org URL’s still in the config, and both had resolved to nodes in China or Russia. After looking at this with a colleague here, we realized that these ntp URL dynamically point to different nodes at different times, which is the intent of the "NTP.Pool.Org project, but seems to be insecure in operation.
Apparently this pool is rather large and rotates between a lot of nodes on the back end, in several different countries, both friendly and not. I know it’s SOP to change this setting in any production environment, but we are leaving ourselves very exposed by maintaining the “extrahop.pool.ntp.org” as default for NTP, especially in this current geopolitical climate.
Hope this is helpful.
P.S. Here are the IP’s i detected:
China - 220.127.116.11:123
Russia - 18.104.22.168:123