Re: TWC (AS11351) blocking all NTP?

[Laszlo Hanyecz <laszlo () heliacal net>]

Why not just provide a public API that lets users specify which of your customers they want to null route?  It would 
save operators the trouble of having to detect the flows.. and you can sell premium access that allows the API user to 
null route all your other customers at once.

Once everyone implements these awesome flow detectors it will just take short bursts of flooding to DoS their 
customers.  If you can detect them in less than a second, it might not even show up on any interface graphs.  I think 
this is already the case at a lot of VPS and hosting providers, since they're such popular sources as well as targets.

I don't know what, if anything, is the answer to these problems, but building complex auto-filtering contraptions is 
not it.  Filtering NTP or UDP or any other specific application will just break things more, which is the goal of a 
'denial of service' attack.  Eventually everything will just be stuffed into TCP port 80 packets and the arms race will 
continue.

The recent abuse of NTP is unfortunate, but it will get fixed.  I just wonder if UDP will have to be tunneled inside 
HTTP by then.

Laszlo