Yeah I'm using NTP. They're syncing with ntp.ubuntu.com every half hour. I forget the exact model router -- it's a new one. Netgear AC1600 of some sort. The only port forwarded is to my server to connect to the live feeds over SSL. Nothing is forwarded for the cameras themselves.
The requests I was getting before was 3-4 dozen requests within about 2 or 3 full seconds time. It certainly didn't strike me as NTP, but perhaps something else. When I looked more closely at what external IPs were listed (3 unique external IPs in total), they seem to be Amazon AWS instances.
I wish I had saved the link I read regarding Hikvision
DDNS, but the discussion suggested it's not really "off" until you, the user, switch it to "off". It was a similar set of circumstances -- a user running Wireshark picked up on the output and questioned it, much like I did in my case.
Either way, seems to be good now. Just seems a bit goofy, since mine was switched off, yet when I toggled it on, then off again, the traffic stopped.
