Filter NTP traffic by packet size?

Cb B cb.list6 at
Tue Feb 25 20:52:31 UTC 2014

On Tue, Feb 25, 2014 at 8:58 AM, Blake Hudson <blake at> wrote:
> I talked to one of our upstream IP transit providers and was able to
> negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP
> port within our aggregate policer. As mentioned, the legitimate traffic
> levels of these services are near 0. We gave each service many times the
> amount to satisfy subscribers, but not enough to overwhelm network links
> during an attack.
> --Blake


What you have done is common and required to keep the network up at
this time. It is perfectly appropriate to have a baseline and enforce
some multiple of the baseline with a policer.

People who say this is the wrong thing to do are not running a network
of significant size, end of story.


> Chris Laffin wrote the following on 2/23/2014 8:58 AM:
>> Ive talked to some major peering exchanges and they refuse to take any
>> action. Possibly if the requests come from many peering participants it will
>> be taken more seriously?
>>> On Feb 22, 2014, at 19:23, "Peter Phaal" <peter.phaal at> wrote:
>>> Brocade demonstrated how peering exchanges can selectively filter
>>> large NTP reflection flows using the sFlow monitoring and hybrid port
>>> OpenFlow capabilities of their MLXe switches at last week's Network
>>> Field Day event.
>>>> On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin <claffin at> wrote:
>>>> Has anyone talked about policing ntp everywhere. Normal traffic levels
>>>> are extremely low but the ddos traffic is very high. It would be really cool
>>>> if peering exchanges could police ntp on their connected members.
>>>>> On Feb 22, 2014, at 8:05, "Paul Ferguson" <fergdawgster at>
>>>>> wrote:
>>>>> Hash: SHA256
>>>>>>> On 2/22/2014 7:06 AM, Nick Hilliard wrote:
>>>>>>> On 22/02/2014 09:07, Cb B wrote:
>>>>>>> Summary IETF response:  The problem i described is already solved
>>>>>>> by bcp38, nothing to see here, carry on with UDP
>>>>>> udp is here to stay.  Denying this is no more useful than trying to
>>>>>> push the tide back with a teaspoon.
>>>>> Yes, udp is here to stay, and I quote Randy Bush on this, "I encourage
>>>>> my competitors to block udp."  :-p
>>>>> - - ferg
>>>>> - --
>>>>> Paul Ferguson
>>>>> VP Threat Intelligence, IID
>>>>> PGP Public Key ID: 0x54DC85B2
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v2.0.22 (MingW32)
>>>>> Comment: Using GnuPG with Thunderbird -
>>>>> iF4EAREIAAYFAlMIynoACgkQKJasdVTchbJsqQD/ZVz5vYaIAEv/z2kbU6kEM+KS
>>>>> OQx2XcSkU7r02wNDytoBANVkgZQalF40vhQED+6KyKv7xL1VfxQg1W8T4drh+6/M
>>>>> =FTxg
>>>>> -----END PGP SIGNATURE-----

More information about the NANOG mailing list