Filter NTP traffic by packet size?

George William Herbert george.herbert at
Sun Feb 23 18:36:42 UTC 2014

On Feb 23, 2014, at 9:50 AM, Lukasz Bromirski <lukasz at> wrote:
> To do some additional checks would require extensive testing, platforms
> capable of doing this in predictable manner (stability, performance)
> and obviously - a lot more work than it costs today.

What are the costs and stability impacts of the DDOS that are running now?

Everyone is asserting it's someone else's problem.  Which in a sense it is.  But what goes around will come around.

If you are not BCP 38 you are sourcing problems.

If you are transiting or IXPing someone who isn't BCP 38 you are enabling problems.

Is what we are doing now good enough?  Probably not.

It would take fewer IXP and transit providers adding analysis capability to backtrack than endpoints.  So the enablers are more capable of effecting change.  They are less to blame in the first place, but not blameless. 

To assert blamelessness is a form of Tragedy of the Commons.  If it's crossing your link or switch, you ARE in the responsibility chain.

The last thing I would like to see is large orgs starting to retreat away from open interconnect because of DDOS coming in from less well managed parts of the net.

Perhaps BCP 38 implementation will rise fast enough that these things will not become real, but we have been hearing that for 15 plus years now...

At some point, the "38 will work by itself!" line approaches "Look at the Emperors' fine new clothes!".

-george william herbert
george.herbert at

Sent from Kangphone

More information about the NANOG mailing list