Re: TWC (AS11351) blocking all NTP?

[Christopher Morrow <morrowc.lists () gmail com>]

On Mon, Feb 3, 2014 at 7:40 PM, Glen Turner <gdt () gdt id au> wrote:
> On 4 Feb 2014, at 9:28 am, Christopher Morrow <morrowc.lists () gmail com> wrote:
>
> > wait, so the whole of the thread is about stopping participants in the
> > attack, and you're suggesting that removing/changing end-system
> > switch/routing gear and doing something more complex than:
> >  deny udp any 123 any
> >  deny udp any 123 any 123
> >  permit ip any any
>
> Which just pushes NTP to some other port, making control harder. We've already pushed all 'interesting' traffic to 
> port 80 on TCP, which has made traffic control very expensive. Let's not repeat that history.

I think in the case of 'oh crap, customer is getting 100gbps of
ntp...' the above (a third party notes that the 2nd line is redundant)
is a fine answer, till the flood abates.

I wouldn't recommend wholesale blocking of anything across an ISP
edge, but for the specific case paul was getting at: "ntp reflection
attack target is your customer" ... it's going to solve the problem.