nanog mailing list archives

Re: Filter NTP traffic by packet size?

From: sjt5atra <sjt5atra () gmail com>
Date: Sun, 23 Feb 2014 18:38:52 -0500

On Feb 23, 2014, at 4:39 PM, James Braunegg <james.braunegg () micron21 com> wrote:

Dear All

I released a bit of a blog article last week about filtering NTP request traffic via packet size which might be of 
interest !

So far I known of an unknown tool makes a default request packet of 50 bytes in size
ntpdos.py makes a default request packet of 60 bytes in size
ntp_monlist.py makes a default request packet of 234 bytes in size
monlist from ntpdc makes a default request packet of 234 bytes in size

In contrast a normal NTP request for a time sync is about 90 bytes in size

More information and some graphs can be found here  http://www.micron21.com/ddos-ntp.php

Kindest Regards

   
James Braunegg


Do these .py's do anything else different to the query packets than "normal" ntp clients? (254TTL instead of the more 
common 63TTL for "normal" clients.)

Current thread:

Re: Filter NTP traffic by packet size?, (continued)
- - - Re: Filter NTP traffic by packet size? Mikael Abrahamsson (Feb 23)
    - Re: Filter NTP traffic by packet size? Peter Phaal (Feb 23)
    - Re: Filter NTP traffic by packet size? sthaug (Feb 23)
    - Re: Filter NTP traffic by packet size? Lukasz Bromirski (Feb 23)
    - Re: Filter NTP traffic by packet size? Mikael Abrahamsson (Feb 23)
    - Re: Filter NTP traffic by packet size? George William Herbert (Feb 23)
    - Re: Filter NTP traffic by packet size? Royce Williams (Feb 23)
    - Re: Filter NTP traffic by packet size? Royce Williams (Feb 23)
    - Re: Filter NTP traffic by packet size? joel jaeggli (Feb 23)
    - RE: Filter NTP traffic by packet size? James Braunegg (Feb 23)
    - Re: Filter NTP traffic by packet size? sjt5atra (Feb 24)
    - Re: Filter NTP traffic by packet size? Jérôme Nicolle (Feb 28)
    - Re: Filter NTP traffic by packet size? Mikael Abrahamsson (Feb 23)
    - Re: Filter NTP traffic by packet size? Randy Bush (Feb 23)
    - Re: Filter NTP traffic by packet size? Ray Soucy (Feb 24)
    - Re: Filter NTP traffic by packet size? Blake Hudson (Feb 25)
    - RE: Filter NTP traffic by packet size? Staudinger, Malcolm (Feb 25)
    - Re: Filter NTP traffic by packet size? Nick Hilliard (Feb 25)
    - Re: Filter NTP traffic by packet size? Blake Hudson (Feb 25)
    - Re: Filter NTP traffic by packet size? Keegan Holley (Feb 26)
    - Re: Filter NTP traffic by packet size? Brandon Galbraith (Feb 26)

(Thread continues...)