nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP/123 policers & status

From: Damian Menscher via NANOG <nanog () nanog org>
Date: Wed, 18 Mar 2020 16:46:36 -0700
On Wed, Mar 18, 2020 at 8:45 AM Steven Sommars <stevesommarsntp () gmail com>
wrote:


The various NTP filters (rate limits, packet size limits) are negatively
affecting the NTP Pool, the new secure NTP protocol (Network Time Security)
and other clients.  NTP filters were deployed several years ago to solve
serious DDoS issues, I'm not second guessing those decisions.  Changing the
filters to instead block NTP mode 7, which cover monlist and other
diagnostics, would improve NTP usability.

http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf




I've advocated a throttle (not a hard block) on udp/123 packets with 468
Bytes/packet (the size of a full monlist response).  In your paper you
mention NTS extensions can be 200+ bytes.  How large do those packets
typically get, in practice?  And how significant is packet loss for them
(if there's high packet loss during the occasional attack, does that pose a
problem)?

Damian
Previous By Date Next
Previous By Thread Next

Current thread: