Filter NTP traffic by packet size?

Peter Phaal peter.phaal at
Sun Feb 23 17:03:59 UTC 2014

What is the business model for the IX? Unauthorized filtering of
incoming traffic risks collateral damage and outing exchange members
seems problematic.

The business model seems clearer when offering filtering as a service
to downstream networks, the effects are narrowly scoped, and members
have control over the traffic they accept from the exchange, e.g. I
don't want to accept NTP traffic to any destination that exceeds
1Gbit/s, or is sourced from an NTP server on my blacklist. Giving
policy control to the downstream allows them to protect their networks
and make business decisions about how they want to prioritize services
and customers when resources are constrained.

Would exchange members pay for this type of control? DDoS mitigation
appears to be less of a technical problem than an issue of misaligned
costs and benefits. How do you create incentives for upstream
providers to invest in solutions when the benefits accrue downstream?

On Sun, Feb 23, 2014 at 7:14 AM, Mikael Abrahamsson <swmike at> wrote:
> On Sun, 23 Feb 2014, Chris Laffin wrote:
>> Ive talked to some major peering exchanges and they refuse to take any
>> action. Possibly if the requests come from many peering participants it will
>> be taken more seriously?
> If only there was more focus on the BCP38 offenders who are the real root
> cause of this problem, I would be more happy.
> I would be more impressed if the IXes would start to use their sFlow
> capabilities to find out what IX ports the NTP queries are coming to
> backtrace the traffic to the BCP38 offendors than try to block the NTP
> packets resulting from these src address forged queries.
> --
> Mikael Abrahamsson    email: swmike at

More information about the NANOG mailing list