Filter NTP traffic by packet size?

Nick Hilliard nick at foobar.org
Sat Feb 22 15:06:32 UTC 2014


On 22/02/2014 09:07, Cb B wrote:
> Summary IETF response:  The problem i described is already solved by
> bcp38, nothing to see here, carry on with UDP

udp is here to stay.  Denying this is no more useful than trying to push
the tide back with a teaspoon.

It's worth bearing in mind that any open tcp service will send out several
acks before giving up.  In other words, any standard open tcp socket will
provide a level of amplification worth using even if UDP were to be
switched off tomorrow.  Sure, not as good as the 230x amplification that
ntp monlist will give, but it's still a problem.

In the long term, it would be more useful to spent time and effort building
automated tools to track down the sources of the spoofed packets than
trying to deprecate UDP.

Nick





More information about the NANOG mailing list