Filter NTP traffic by packet size?

Cb B cb.list6 at gmail.com
Fri Feb 21 21:22:36 UTC 2014


On Thu, Feb 20, 2014 at 2:12 PM, Damian Menscher <damian at google.com> wrote:
> On Thu, Feb 20, 2014 at 1:03 PM, Jared Mauch <jared at puck.nether.net> wrote:
>>
>>  On Feb 20, 2014, at 3:51 PM, John Weekes <jw at nuclearfallout.net> wrote:
>> > On 2/20/2014 12:41 PM, Edward Roels wrote:
>> >> Curious if anyone else thinks filtering out NTP packets above a certain
>> >> packet size is a good or terrible idea.
>> >>
>> >> From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6
>> are
>> >> typical for a client to successfully synchronize to an NTP server.
>> >>
>> >> If I query a server for it's list of peers (ntpq -np <ip>) I've seen
>> >> packets as large as 522 bytes in a single packet in response to a 54
>> byte
>> >> query.  I'll admit I'm not 100% clear of the what is happening
>> >> protocol-wise when I perform this query.  I see there are multiple
>> packets
>> >> back forth between me and the server depending on the number of peers it
>> >> has?
>> >
>> > If your equipment supports this, and you're seeing reflected NTP
>> attacks, then it is an effective stopgap to block nearly all of the inbound
>> attack traffic to affected hosts. Some still comes through from NTP servers
>> running on nonstandard ports, but not much.
>>
>
> Also, don't forget to ask those sending the attack traffic to trace where
> the spoofed packets ingressed their networks.
>
>  > Standard IPv4 NTP response packets are 76 bytes (plus any link-level
>> headers), based on my testing. I have been internally filtering packets of
>> other sizes against attack targets for some time now with no ill-effect.
>>
>> You can filter packets that are 440 bytes in size and it will do a lot to
>> help the problem, but make sure you conjoin these with protocol udp and
>> port=123 rules to avoid collateral damage.
>>
>
> Preferably just source-port 123.
>
> You may also want to look at filtering UDP/80 outright as well, as that is
>> commonly used as an "I'm going to attack port 80" by attackers that don't
>> quite understand the difference between UDP and TCP.
>>
>
> Please don't filter UDP/80.  It's used by QUIC (
> http://en.wikipedia.org/wiki/QUIC).
>
> Damian

The folks at QUIC have been advised to not use UDP for a new protocol,
and they would be very well advised to not use UDP:80 since that is a
well known target port used in the DDoS reflection attacks.

As Jared noted, UDP:80 is a cesspool today.  Attempting to use it for
legit traffic is not smart.

CB



More information about the NANOG mailing list