Filter NTP traffic by packet size?

Fri Feb 21 05:24:00 UTC 2014

On Feb 21, 2014, at 11:40 AM, Harlan Stenn <stenn at ntp.org> wrote:

> As a reality check, with this filtering in place does "ntptrace" still work?

No, it will not.

In order to minimize overblocking of this nature, filtering of this nature should be used with the highest possible degree of granularity, and the minimal necessary scope.  One way to accomplish this is to divert traffic towards destinations in question into a mitigation/center sinkhole, applying this filtering on the coreward interfaces of the mitigation center/sinkhole gateway (some re-injection mechanism such as GRE, VRF, selective filtering of the diversion route announcements coupled w/PBR, etc. must be used to re-inject non-matching traffic towards the destinations in question) or via other mitigation mechanisms.

In emergencies, the concept of partial service recovery may dictate temporary filtering of coarser granularity in order to preserve overall network availability; we've run into situations in the past week-and-a-half where networks were experiencing severe strain due to the sheer volume of ntp reflection/amplification attack traffic, and it was necessary to start out with more general filtering, then work towards more specific filtering once the network was stabilized.

But you raise a very important point which should be re-emphasized - general filtering of traffic is to be avoided whenever possible in order to avoid breaking applications/services.  

However, the converse notion that emergency situations sometimes entail necessary restrictions should also be taken into account.  Operators should use their best judgement as to the scope of any filtering, and should always pilot any proposed mitigation methodologies prior to wider deployment.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton