TWC (AS11351) blocking all NTP?

Dobbins, Roland rdobbins at arbor.net
Mon Feb 3 03:58:29 UTC 2014


On Feb 3, 2014, at 10:49 AM, Geraint Jones <geraint at koding.com> wrote:

> We block all outbound UDP for our ~200,000 Users for this very reason

Actually, you could've (and should've) been far more selective in what you filtered via ACLs, IMHO.

What about your users who play online games like BF4?

I'm a big believer in using ACLs to intelligently preclude reflection/amplification abuse, but wholesale filtering of all UDP takes matters too far, IMHO.

My suggestion would be to implement antispoofing on the southward interfaces of the customer aggregation edge (if you can't implement it via mechanisms such as cable ip source verify even further southward), and then implement a default ingress ACL on the coreward interfaces of the customer aggregation gateways to block inbound UDP destined to ntp, chargen, DNS, and SNMP ports only.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the NANOG mailing list