nanog mailing list archives

Re: Filter NTP traffic by packet size?

From: Blake Hudson <blake () ispn net>
Date: Tue, 25 Feb 2014 10:58:00 -0600

I talked to one of our upstream IP transit providers and was able tonegotiate individual policing levels on NTP, DNS, SNMP, and Chargen byUDP port within our aggregate policer. As mentioned, the legitimatetraffic levels of these services are near 0. We gave each service manytimes the amount to satisfy subscribers, but not enough to overwhelmnetwork links during an attack.


--Blake

Chris Laffin wrote the following on 2/23/2014 8:58 AM:

Ive talked to some major peering exchanges and they refuse to take any action. Possibly if the requests come from many 
peering participants it will be taken more seriously?

On Feb 22, 2014, at 19:23, "Peter Phaal" <peter.phaal () gmail com> wrote:

Brocade demonstrated how peering exchanges can selectively filter
large NTP reflection flows using the sFlow monitoring and hybrid port
OpenFlow capabilities of their MLXe switches at last week's Network
Field Day event.

http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_1986.html

On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin <claffin () peer1 com> wrote:
Has anyone talked about policing ntp everywhere. Normal traffic levels are extremely low but the ddos traffic is very 
high. It would be really cool if peering exchanges could police ntp on their connected members.

On Feb 22, 2014, at 8:05, "Paul Ferguson" <fergdawgster () mykolab com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2/22/2014 7:06 AM, Nick Hilliard wrote:

On 22/02/2014 09:07, Cb B wrote:
Summary IETF response:  The problem i described is already solved
by bcp38, nothing to see here, carry on with UDP

udp is here to stay.  Denying this is no more useful than trying to
push the tide back with a teaspoon.

Yes, udp is here to stay, and I quote Randy Bush on this, "I encourage
my competitors to block udp."  :-p

- - ferg


- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMIynoACgkQKJasdVTchbJsqQD/ZVz5vYaIAEv/z2kbU6kEM+KS
OQx2XcSkU7r02wNDytoBANVkgZQalF40vhQED+6KyKv7xL1VfxQg1W8T4drh+6/M
=FTxg
-----END PGP SIGNATURE-----

Current thread:

Re: Filter NTP traffic by packet size?, (continued)
- - - Re: Filter NTP traffic by packet size? George William Herbert (Feb 23)
    - Re: Filter NTP traffic by packet size? Royce Williams (Feb 23)
    - Re: Filter NTP traffic by packet size? Royce Williams (Feb 23)
    - Re: Filter NTP traffic by packet size? joel jaeggli (Feb 23)
    - RE: Filter NTP traffic by packet size? James Braunegg (Feb 23)
    - Re: Filter NTP traffic by packet size? sjt5atra (Feb 24)
    - Re: Filter NTP traffic by packet size? Jérôme Nicolle (Feb 28)
    - Re: Filter NTP traffic by packet size? Mikael Abrahamsson (Feb 23)
    - Re: Filter NTP traffic by packet size? Randy Bush (Feb 23)
    - Re: Filter NTP traffic by packet size? Ray Soucy (Feb 24)
    - Re: Filter NTP traffic by packet size? Blake Hudson (Feb 25)
    - RE: Filter NTP traffic by packet size? Staudinger, Malcolm (Feb 25)
    - Re: Filter NTP traffic by packet size? Nick Hilliard (Feb 25)
    - Re: Filter NTP traffic by packet size? Blake Hudson (Feb 25)
    - Re: Filter NTP traffic by packet size? Keegan Holley (Feb 26)
    - Re: Filter NTP traffic by packet size? Brandon Galbraith (Feb 26)
    - Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Jay Ashworth (Feb 26)
    - Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Keegan Holley (Feb 27)
    - Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Ray Soucy (Feb 28)
    - Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Jay Ashworth (Feb 28)
    - Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?) Ray Soucy (Feb 28)

(Thread continues...)