Re: Filter NTP traffic by packet size?

[Cb B <cb.list6 () gmail com>]

On Feb 22, 2014 5:30 AM, "Damian Menscher" <damian () google com> wrote:
> On Fri, Feb 21, 2014 at 1:22 PM, Cb B <cb.list6 () gmail com> wrote:
> > On Thu, Feb 20, 2014 at 2:12 PM, Damian Menscher <damian () google com>
wrote:
> > > On Thu, Feb 20, 2014 at 1:03 PM, Jared Mauch <jared () puck nether net>
wrote:
> > > You may also want to look at filtering UDP/80 outright as well, as
that is
> > > > commonly used as an "I'm going to attack port 80" by attackers that
don't
> > > > quite understand the difference between UDP and TCP.
> > >
> > > Please don't filter UDP/80.  It's used by QUIC (
> > > http://en.wikipedia.org/wiki/QUIC).
> >
> > The folks at QUIC have been advised to not use UDP for a new protocol,
> > and they would be very well advised to not use UDP:80 since that is a
> > well known target port used in the DDoS reflection attacks.
>
>
> Please suggest which protocol has less blocking on the internet today
(keeping in mind the full end-to-end stack of CPE, various ISPs,
country-level proxies, backbone providers, etc).
> Damian

Tcp.

But the actual answer is , if you want a new transport protocol, create a
new transport protocol with a new protocol number. Overloading the clearly
polluted UDP pool will have problems. Happy eyeballs negotiation may be
required for L4.

QUIC can do what it wants.  Like anyone else, they pay their money and take
their chances. But, the data point that UDP is polluted is clearly
documented with several folks on this list suggesting tactical fixes that
involve limiting UDP, especially udp:80