nanog mailing list archives

Re: Filter NTP traffic by packet size?

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Fri, 21 Feb 2014 05:24:00 +0000


On Feb 21, 2014, at 11:40 AM, Harlan Stenn <stenn () ntp org> wrote:

As a reality check, with this filtering in place does "ntptrace" still work?


No, it will not.

In order to minimize overblocking of this nature, filtering of this nature should be used with the highest possible 
degree of granularity, and the minimal necessary scope.  One way to accomplish this is to divert traffic towards 
destinations in question into a mitigation/center sinkhole, applying this filtering on the coreward interfaces of the 
mitigation center/sinkhole gateway (some re-injection mechanism such as GRE, VRF, selective filtering of the diversion 
route announcements coupled w/PBR, etc. must be used to re-inject non-matching traffic towards the destinations in 
question) or via other mitigation mechanisms.

In emergencies, the concept of partial service recovery may dictate temporary filtering of coarser granularity in order 
to preserve overall network availability; we've run into situations in the past week-and-a-half where networks were 
experiencing severe strain due to the sheer volume of ntp reflection/amplification attack traffic, and it was necessary 
to start out with more general filtering, then work towards more specific filtering once the network was stabilized.

But you raise a very important point which should be re-emphasized - general filtering of traffic is to be avoided 
whenever possible in order to avoid breaking applications/services.  

However, the converse notion that emergency situations sometimes entail necessary restrictions should also be taken 
into account.  Operators should use their best judgement as to the scope of any filtering, and should always pilot any 
proposed mitigation methodologies prior to wider deployment.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton

Current thread:

Re: Filter on IXP, (continued)
- - - Re: Filter on IXP Patrick W. Gilmore (Feb 28)
    - Re: Filter on IXP Jérôme Nicolle (Feb 28)
    - Re: Filter NTP traffic by packet size? Saku Ytti (Feb 22)
- Re: Filter NTP traffic by packet size? Laszlo Hanyecz (Feb 20)
  - Re: Filter NTP traffic by packet size? James R Cutler (Feb 20)
- Re: Filter NTP traffic by packet size? Phil Bedard (Feb 20)
- Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)
  - Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)
  - Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)
  - Re: Filter NTP traffic by packet size? Harlan Stenn (Feb 21)
    - Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)
- RE: Filter NTP traffic by packet size? Phil Bedard (Feb 23)
- Re: Filter NTP traffic by packet size? Brandon Butterworth (Feb 23)
- Re: Filter NTP traffic by packet size? Harry Hoffman (Feb 26)