Filter NTP traffic by packet size?
rps at maine.edu
Mon Feb 24 14:23:30 UTC 2014
We have had pretty good success in identifying offenders with simple
monitoring flow data for NTP flows destined for our address space with
packet counts higher than 100; we disable them and notify to correct
the configuration on the host. Granted we only service about 1,000
In cases where a large amount of incoming traffic was generated, we
have been able to temporarily blackhole offenders to not saturate
smaller downstream connections until traffic levels die down;
unfortunately it takes a few days for that to happen, and many service
providers outside the US don't seem to be very responsive to their
published abuse address.
I prefer targeted, temporary, and communicated filtering for actual
incidents over blanket filtering for potential incidents.
On Sun, Feb 23, 2014 at 7:35 PM, Randy Bush <randy at psg.com> wrote:
>> Ive talked to some major peering exchanges and they refuse to take any
>> action. Possibly if the requests come from many peering participants
>> it will be taken more seriously?
> i have talked to fiber providers and they have refused to take action.
> perhaps if requests came from hundreds of the unclued zombies they would
> take it seriously.
Ray Patrick Soucy
University of Maine System
MaineREN, Maine's Research and Education Network
More information about the NANOG