Filter NTP traffic by packet size?

Ray Soucy rps at
Mon Feb 24 14:23:30 UTC 2014

We have had pretty good success in identifying offenders with simple
monitoring flow data for NTP flows destined for our address space with
packet counts higher than 100; we disable them and notify to correct
the configuration on the host.  Granted we only service about 1,000
different customers.

In cases where a large amount of incoming traffic was generated, we
have been able to temporarily blackhole offenders to not saturate
smaller downstream connections until traffic levels die down;
unfortunately it takes a few days for that to happen, and many service
providers outside the US don't seem to be very responsive to their
published abuse address.

I prefer targeted, temporary, and communicated filtering for actual
incidents over blanket filtering for potential incidents.

On Sun, Feb 23, 2014 at 7:35 PM, Randy Bush <randy at> wrote:
>> Ive talked to some major peering exchanges and they refuse to take any
>> action. Possibly if the requests come from many peering participants
>> it will be taken more seriously?
> i have talked to fiber providers and they have refused to take action.
> perhaps if requests came from hundreds of the unclued zombies they would
> take it seriously.
> randy

Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network

More information about the NANOG mailing list