TWC (AS11351) blocking all NTP?

Christopher Morrow morrowc.lists at
Tue Feb 4 02:13:06 UTC 2014

On Mon, Feb 3, 2014 at 7:40 PM, Glen Turner <gdt at> wrote:
> On 4 Feb 2014, at 9:28 am, Christopher Morrow <morrowc.lists at> wrote:
>> wait, so the whole of the thread is about stopping participants in the
>> attack, and you're suggesting that removing/changing end-system
>> switch/routing gear and doing something more complex than:
>>  deny udp any 123 any
>>  deny udp any 123 any 123
>>  permit ip any any
> Which just pushes NTP to some other port, making control harder. We've already pushed all 'interesting' traffic to port 80 on TCP, which has made traffic control very expensive. Let's not repeat that history.

I think in the case of 'oh crap, customer is getting 100gbps of
ntp...' the above (a third party notes that the 2nd line is redundant)
is a fine answer, till the flood abates.

I wouldn't recommend wholesale blocking of anything across an ISP
edge, but for the specific case paul was getting at: "ntp reflection
attack target is your customer" ... it's going to solve the problem.

More information about the NANOG mailing list