Default NTP settings can point to nodes in China or Russia

As I was going through my network last night, my UniFi gateway showed some “risky” destinations that had been contacted from my network. When I took a look, my EXAv and EDAv both had our default extrahop.pool.ntp.org URL’s still in the config, and both had resolved to nodes in China or Russia. After looking at this with a colleague here, we realized that these ntp URL dynamically point to different nodes at different times, which is the intent of the "NTP.Pool.Org project, but seems to be insecure in operation.

Apparently this pool is rather large and rotates between a lot of nodes on the back end, in several different countries, both friendly and not. I know it’s SOP to change this setting in any production environment, but we are leaving ourselves very exposed by maintaining the “extrahop.pool.ntp.org” as default for NTP, especially in this current geopolitical climate.

Personally for home use I am pointing to the Navy NTP servers Tick and Tock, but perhaps as a default we could the NIST servers at “time.nist.gov”. More info on that here: NIST Internet Time Service

Hope this is helpful.

P.S. Here are the IP’s i detected:

China - 202.118.1.130:123
Russia - 94.247.111.10:123

ExtraHop has explicitly obtained permission from ntp.org to use the pool as it is configured. ExtraHop does not have permission to ship our appliances configured to speak to other time services.

The settings are easy to change to a different pool of servers.