Filter NTP traffic by packet size?

Cb B cb.list6 at gmail.com
Fri Feb 21 22:37:04 UTC 2014


On Feb 22, 2014 5:30 AM, "Damian Menscher" <damian at google.com> wrote:
>
> On Fri, Feb 21, 2014 at 1:22 PM, Cb B <cb.list6 at gmail.com> wrote:
>>
>> On Thu, Feb 20, 2014 at 2:12 PM, Damian Menscher <damian at google.com>
wrote:
>> > On Thu, Feb 20, 2014 at 1:03 PM, Jared Mauch <jared at puck.nether.net>
wrote:
>> > You may also want to look at filtering UDP/80 outright as well, as
that is
>> >> commonly used as an "I'm going to attack port 80" by attackers that
don't
>> >> quite understand the difference between UDP and TCP.
>> >
>> > Please don't filter UDP/80.  It's used by QUIC (
>> > http://en.wikipedia.org/wiki/QUIC).
>>
>> The folks at QUIC have been advised to not use UDP for a new protocol,
>> and they would be very well advised to not use UDP:80 since that is a
>> well known target port used in the DDoS reflection attacks.
>
>
> Please suggest which protocol has less blocking on the internet today
(keeping in mind the full end-to-end stack of CPE, various ISPs,
country-level proxies, backbone providers, etc).
>
> Damian

Tcp.

But the actual answer is , if you want a new transport protocol, create a
new transport protocol with a new protocol number. Overloading the clearly
polluted UDP pool will have problems. Happy eyeballs negotiation may be
required for L4.

QUIC can do what it wants.  Like anyone else, they pay their money and take
their chances. But, the data point that UDP is polluted is clearly
documented with several folks on this list suggesting tactical fixes that
involve limiting UDP, especially udp:80


More information about the NANOG mailing list