Re: UDP/123 policers & status

[Ca By <cb.list6 () gmail com>]

On Wed, Mar 18, 2020 at 8:46 AM Steven Sommars <stevesommarsntp () gmail com>
wrote:

> The various NTP filters (rate limits, packet size limits) are negatively
> affecting the NTP Pool, the new secure NTP protocol (Network Time Security)
> and other clients.  NTP filters were deployed several years ago to solve
> serious DDoS issues, I'm not second guessing those decisions.  Changing the
> filters to instead block NTP mode 7, which cover monlist and other
> diagnostics, would improve NTP usability.
>
> http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf

Yeh, not changing ipv4 filters, Sorry pool. Burned once, twice shy.

There is no simple way to do router filters based on ntp app modes.

I suggest people be aware of time.google.com

And  time.cloudflare.com

CB


> On Tue, Mar 17, 2020 at 11:17 AM Mark Tinka <mark.tinka () seacom mu> wrote:
>
> > On 17/Mar/20 18:05, Ca By wrote:
> >
> >
> >
> >
> > +1 , still see, still have policers
> >
> > Fyi, ipv6 ntp / udp tends to have a much higher success rate getting
> > through cgn / policers / ...
> >
> >
> > For those that have come in as attacks toward customers, we've "scrubbed"
> > them where there has been interest.
> >
> > Mark.