Filter NTP traffic by packet size?
jw at nuclearfallout.net
Thu Feb 20 20:51:53 UTC 2014
On 2/20/2014 12:41 PM, Edward Roels wrote:
> Curious if anyone else thinks filtering out NTP packets above a certain
> packet size is a good or terrible idea.
> From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6 are
> typical for a client to successfully synchronize to an NTP server.
> If I query a server for it's list of peers (ntpq -np <ip>) I've seen
> packets as large as 522 bytes in a single packet in response to a 54 byte
> query. I'll admit I'm not 100% clear of the what is happening
> protocol-wise when I perform this query. I see there are multiple packets
> back forth between me and the server depending on the number of peers it
> Would I be breaking something important if I started to filter NTP packets
>> 200 bytes into my network?
If your equipment supports this, and you're seeing reflected NTP
attacks, then it is an effective stopgap to block nearly all of the
inbound attack traffic to affected hosts. Some still comes through from
NTP servers running on nonstandard ports, but not much.
Standard IPv4 NTP response packets are 76 bytes (plus any link-level
headers), based on my testing. I have been internally filtering packets
of other sizes against attack targets for some time now with no ill-effect.
More information about the NANOG