TWC (AS11351) blocking all NTP?

John Levine johnl at iecc.com
Mon Feb 3 18:23:31 UTC 2014


>In regards to anti-spoofing measures - I think there a couple of vectors about the latest NTP attack
>where more rigorous client-side anti-spoofing could help but will not solve it overall.

Most NTP servers only send legitimate traffic to a handful of masters,
often in the ntp.org pool, and to peers and clients on their own
network.

I know that when I adjusted my NTP config to stop responding to
traffic other than its ntp.org masters and the local LAN, the outbound
DDoS traffic stopped.  It took a while for the bad guys to notice, so
I added some packet filters to limit the load on the NTP daemon.

It seems thata hosts sending large amounts of NTP traffic over the
public Internet can be safely filtered if you don't already know that
it's one of the handful that's in the ntp.org pools or another well
known NTP master.

R's,
John
 



More information about the NANOG mailing list