TWC (AS11351) blocking all NTP?

Michael DeMan nanog at
Mon Feb 3 05:45:50 UTC 2014

The recently publicized mechanism to leverage NTP servers for amplified DoS attacks is seriously effective.
I had a friend who had a local ISP affected by this Thursday and also another case where just two asterisk servers saturated a 100mbps link to the point of unusability.
Once more - this exploit is seriously effective at using bandwidth by reflection.

From a provider point of view, given the choices between contacting the end-users vs. mitigating the problem, if I were in TW position if I was unable to immediately contact the numerous downstream customers that were affected by this, I would take the option to block NTP on a case-by-case basis (perhaps even taking a broad brush) rather than allow it to continue and cause disruptions elsewhere.

- Mike

On Feb 2, 2014, at 12:44 PM, John Levine <johnl at> wrote:

> In article <20140202163313.GF24634 at> you write:
>> The provider has kindly acknowledged that there is an issue, and are
>> working on a resolution.  Heads up, it may be more than just my region.
> I'm a Time-Warner cable customer in the Syracuse region, and both of
> the NTP servers on my home LAN are happily syncing with outside peers.
> My real servers are hosted in Ithaca, with T-W being one of the
> upstreams and they're also OK.  They were recruited into an NTP DDoS
> last month (while I was at a meeting working on anti-DDoS best
> practice, which was a little embarassing) but they're upgraded and
> locked down now.
> R's,
> John

More information about the NANOG mailing list