Filter NTP traffic by packet size?
Dobbins, Roland
rdobbins at arbor.net
Fri Feb 21 02:55:06 UTC 2014
On Feb 21, 2014, at 3:41 AM, Edward Roels <edwardroels at gmail.com> wrote:
> From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6 are typical for a client to successfully synchronize to an NTP server.
Correct. 90 bytes = 76 bytes + Ethernet framing.
Filtering out packets this size from UDP/anything to UDP/123 allows time-sync requests and responses to work, but squelches both the level-6/-7 commands used to trigger amplification as well as amplified attack traffic.
Operators are using this size-based filtering to effect without breaking the world.
Be sure to pilot this first, and understand whether packet-size classification on your hardware of choice includes framing or not.
Also, note that this filtering should be utilized to mitigate attacks, not as a permanent policy.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the NANOG
mailing list