TWC (AS11351) blocking all NTP?

Laszlo Hanyecz laszlo at
Tue Feb 4 19:01:51 UTC 2014

I was joking, I meant that the operator provides an API for attackers, so they can accomplish their goal of taking the customer offline, without having to spoof or flood or whatever else.  Automatically installing ACLs in response to observed flows accomplishes almost the same thing.  As a concrete example, say a customer is running a game server that utilizes UDP port 12345.  An attacker sends a large flow to customer:12345 and your switches and routers all start filtering anything with destination customer:12345, for say 2 hours.  Then the attacker can just repeat in 2 hours and send only a few seconds worth of flooding each time.

On Feb 4, 2014, at 6:52 PM, William Herrin <bill at> wrote:

> On Tue, Feb 4, 2014 at 1:45 PM, Laszlo Hanyecz <laszlo at> wrote:
>> Why not just provide a public API that lets users specify which
>> of your customers they want to null route?
> They're spoofed packets. There's no way for anyone outside your AS to
> know which of your customers the packets came from. It's not
> particularly easy to trace inside your AS either.
> Regards,
> Bill Herrin
> -- 
> William D. Herrin ................ herrin at  bill at
> 3005 Crane Dr. ...................... Web: <>
> Falls Church, VA 22042-3004

More information about the NANOG mailing list