Filter NTP traffic by packet size?

sjt5atra sjt5atra at gmail.com
Sun Feb 23 23:38:52 UTC 2014


> On Feb 23, 2014, at 4:39 PM, James Braunegg <james.braunegg at micron21.com> wrote:
> 
> Dear All
> 
> I released a bit of a blog article last week about filtering NTP request traffic via packet size which might be of interest !
> 
> So far I known of an unknown tool makes a default request packet of 50 bytes in size
> ntpdos.py makes a default request packet of 60 bytes in size
> ntp_monlist.py makes a default request packet of 234 bytes in size
> monlist from ntpdc makes a default request packet of 234 bytes in size
> 
> In contrast a normal NTP request for a time sync is about 90 bytes in size
> 
> More information and some graphs can be found here  http://www.micron21.com/ddos-ntp.php
> 
> Kindest Regards
> 
>    
> James Braunegg

Do these .py's do anything else different to the query packets than "normal" ntp clients? (254TTL instead of the more common 63TTL for "normal" clients.)


More information about the NANOG mailing list