nanog mailing list archives

Re: TWC (AS11351) blocking all NTP?

From: Paul Ferguson <fergdawgster () mykolab com>
Date: Sun, 02 Feb 2014 08:14:43 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

While I do not profess to know the cause of your particular NTP sync
problem, this *might* be due to knee-jerk reactions to the NTP
reflection/amplification DDoS attacks that have been quite an
annoyance and operational issue lately.  suspect that some operators
have found that perhaps they harbored some device inside their own
networks are being used (or might be used) to facilitate these attacks:

https://www.us-cert.gov/ncas/current-activity/2014/01/10/Network-Time-Protocol-NTP-Amplification-Attacks

See also:

http://openntpproject.org/

- - ferg


On 2/1/2014 8:03 PM, Jonathan Towne wrote:

This evening all of my servers lost NTP sync, stating that our
on-site NTP servers hadn't synced in too long.

Reference time noted by the local NTP servers: Fri, Jan 31 2014
19:11:29.725

Apparently since then, NTP has been unable to traverse the circuit.
Our other provider is shuffling NTP packets just fine, and after
finding an NTP peer that return routed in that direction, I was
able to get NTP back in shape.

Spot checking various NTP peers configured on my end with various
looking glasses close to the far-end confirm that anytime the
return route is through AS11351, we never get the responses.
Outbound routes almost always take the shorter route through our
other provider.

Is anyone else seeing this, or am I lucky enough to have it
localized to my region (Northern NY)?

I've created a ticket with the provider, although with it being the
weekend, I have doubts it'll be a quick resolution.  I'm sure its a
strange knee-jerk response to the monlist garbage.  Still, stopping
time without warning is Uncool, Man.

-- Jonathan Towne



- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLubvMACgkQKJasdVTchbK8mwD9HDHJ2YSDciN8k6YkRDu4MbxS
r0zEU/8ofP8HaK8YoEYBANhDP+VIhC3Cz/cKc4TI8WeGHqX1ZWN1OwnxLihR3sjx
=KEeR
-----END PGP SIGNATURE-----

Current thread:

TWC (AS11351) blocking all NTP? Jonathan Towne (Feb 01)
- Re: TWC (AS11351) blocking all NTP? Paul Ferguson (Feb 02)
- Re: TWC (AS11351) blocking all NTP? Jonathan Towne (Feb 02)
  - Re: TWC (AS11351) blocking all NTP? John Levine (Feb 02)
    - Re: TWC (AS11351) blocking all NTP? Michael DeMan (Feb 02)
    - Re: TWC (AS11351) blocking all NTP? Dobbins, Roland (Feb 02)
    - Re: TWC (AS11351) blocking all NTP? Dobbins, Roland (Feb 02)
    - Re: TWC (AS11351) blocking all NTP? Michael DeMan (Feb 02)
    - Re: TWC (AS11351) blocking all NTP? Dobbins, Roland (Feb 02)
    - Re: TWC (AS11351) blocking all NTP? John Kristoff (Feb 03)
    - Re: TWC (AS11351) blocking all NTP? Dobbins, Roland (Feb 03)
    - Re: TWC (AS11351) blocking all NTP? John Levine (Feb 03)

(Thread continues...)