TWC (AS11351) blocking all NTP?

John Levine johnl at
Mon Feb 3 18:23:31 UTC 2014

>In regards to anti-spoofing measures - I think there a couple of vectors about the latest NTP attack
>where more rigorous client-side anti-spoofing could help but will not solve it overall.

Most NTP servers only send legitimate traffic to a handful of masters,
often in the pool, and to peers and clients on their own

I know that when I adjusted my NTP config to stop responding to
traffic other than its masters and the local LAN, the outbound
DDoS traffic stopped.  It took a while for the bad guys to notice, so
I added some packet filters to limit the load on the NTP daemon.

It seems thata hosts sending large amounts of NTP traffic over the
public Internet can be safely filtered if you don't already know that
it's one of the handful that's in the pools or another well
known NTP master.


More information about the NANOG mailing list