Re: Filter NTP traffic by packet size?

[Cb B <cb.list6 () gmail com>]

On Thu, Feb 20, 2014 at 2:12 PM, Damian Menscher <damian () google com> wrote:
> On Thu, Feb 20, 2014 at 1:03 PM, Jared Mauch <jared () puck nether net> wrote:
> >  On Feb 20, 2014, at 3:51 PM, John Weekes <jw () nuclearfallout net> wrote:
> > > On 2/20/2014 12:41 PM, Edward Roels wrote:
> > > > Curious if anyone else thinks filtering out NTP packets above a certain
> > > > packet size is a good or terrible idea.
> > > >
> > > > From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6
> > are
> > > > typical for a client to successfully synchronize to an NTP server.
> > > >
> > > > If I query a server for it's list of peers (ntpq -np <ip>) I've seen
> > > > packets as large as 522 bytes in a single packet in response to a 54
> > byte
> > > > query.  I'll admit I'm not 100% clear of the what is happening
> > > > protocol-wise when I perform this query.  I see there are multiple
> > packets
> > > > back forth between me and the server depending on the number of peers it
> > > > has?
> > >
> > > If your equipment supports this, and you're seeing reflected NTP
> > attacks, then it is an effective stopgap to block nearly all of the inbound
> > attack traffic to affected hosts. Some still comes through from NTP servers
> > running on nonstandard ports, but not much.
>
> Also, don't forget to ask those sending the attack traffic to trace where
> the spoofed packets ingressed their networks.
>
>  > Standard IPv4 NTP response packets are 76 bytes (plus any link-level
> > headers), based on my testing. I have been internally filtering packets of
> > other sizes against attack targets for some time now with no ill-effect.
> >
> > You can filter packets that are 440 bytes in size and it will do a lot to
> > help the problem, but make sure you conjoin these with protocol udp and
> > port=123 rules to avoid collateral damage.
>
> Preferably just source-port 123.
>
> You may also want to look at filtering UDP/80 outright as well, as that is
> > commonly used as an "I'm going to attack port 80" by attackers that don't
> > quite understand the difference between UDP and TCP.
>
> Please don't filter UDP/80.  It's used by QUIC (
> http://en.wikipedia.org/wiki/QUIC).
>
> Damian

The folks at QUIC have been advised to not use UDP for a new protocol,
and they would be very well advised to not use UDP:80 since that is a
well known target port used in the DDoS reflection attacks.

As Jared noted, UDP:80 is a cesspool today.  Attempting to use it for
legit traffic is not smart.

CB