nanog mailing list archives
Re: Filter NTP traffic by packet size?
From: Cb B <cb.list6 () gmail com>
Date: Fri, 21 Feb 2014 13:22:36 -0800
On Thu, Feb 20, 2014 at 2:12 PM, Damian Menscher <damian () google com> wrote:
On Thu, Feb 20, 2014 at 1:03 PM, Jared Mauch <jared () puck nether net> wrote:On Feb 20, 2014, at 3:51 PM, John Weekes <jw () nuclearfallout net> wrote:On 2/20/2014 12:41 PM, Edward Roels wrote:Curious if anyone else thinks filtering out NTP packets above a certain packet size is a good or terrible idea. From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6aretypical for a client to successfully synchronize to an NTP server. If I query a server for it's list of peers (ntpq -np <ip>) I've seen packets as large as 522 bytes in a single packet in response to a 54bytequery. I'll admit I'm not 100% clear of the what is happening protocol-wise when I perform this query. I see there are multiplepacketsback forth between me and the server depending on the number of peers it has?If your equipment supports this, and you're seeing reflected NTPattacks, then it is an effective stopgap to block nearly all of the inbound attack traffic to affected hosts. Some still comes through from NTP servers running on nonstandard ports, but not much.Also, don't forget to ask those sending the attack traffic to trace where the spoofed packets ingressed their networks. > Standard IPv4 NTP response packets are 76 bytes (plus any link-levelheaders), based on my testing. I have been internally filtering packets of other sizes against attack targets for some time now with no ill-effect. You can filter packets that are 440 bytes in size and it will do a lot to help the problem, but make sure you conjoin these with protocol udp and port=123 rules to avoid collateral damage.Preferably just source-port 123. You may also want to look at filtering UDP/80 outright as well, as that iscommonly used as an "I'm going to attack port 80" by attackers that don't quite understand the difference between UDP and TCP.Please don't filter UDP/80. It's used by QUIC ( http://en.wikipedia.org/wiki/QUIC). Damian
The folks at QUIC have been advised to not use UDP for a new protocol, and they would be very well advised to not use UDP:80 since that is a well known target port used in the DDoS reflection attacks. As Jared noted, UDP:80 is a cesspool today. Attempting to use it for legit traffic is not smart. CB
Current thread:
- Filter NTP traffic by packet size? Edward Roels (Feb 20)
- Re: Filter NTP traffic by packet size? John Weekes (Feb 20)
- Re: Filter NTP traffic by packet size? Jared Mauch (Feb 20)
- Re: Filter NTP traffic by packet size? Damian Menscher (Feb 20)
- Re: Filter NTP traffic by packet size? TGLASSEY (Feb 20)
- Re: Filter NTP traffic by packet size? Cb B (Feb 21)
- Re: Filter NTP traffic by packet size? Damian Menscher (Feb 21)
- Re: Filter NTP traffic by packet size? Cb B (Feb 21)
- Re: Filter NTP traffic by packet size? Seth Mattinen (Feb 21)
- Re: Filter NTP traffic by packet size? Saku Ytti (Feb 22)
- Re: Filter NTP traffic by packet size? Carsten Bormann (Feb 22)
- Re: Filter NTP traffic by packet size? Cb B (Feb 22)
- Re: Filter NTP traffic by packet size? Carsten Bormann (Feb 22)
- Re: Filter NTP traffic by packet size? Randy Bush (Feb 22)
- Re: Filter NTP traffic by packet size? Nick Hilliard (Feb 22)
- Re: Filter NTP traffic by packet size? Paul Ferguson (Feb 22)
- Re: Filter NTP traffic by packet size? Jared Mauch (Feb 20)
- Re: Filter NTP traffic by packet size? John Weekes (Feb 20)