Filter NTP traffic by packet size?

Cb B cb.list6 at gmail.com
Tue Feb 25 20:52:31 UTC 2014


On Tue, Feb 25, 2014 at 8:58 AM, Blake Hudson <blake at ispn.net> wrote:
> I talked to one of our upstream IP transit providers and was able to
> negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP
> port within our aggregate policer. As mentioned, the legitimate traffic
> levels of these services are near 0. We gave each service many times the
> amount to satisfy subscribers, but not enough to overwhelm network links
> during an attack.
>
> --Blake
>

Blake,

What you have done is common and required to keep the network up at
this time. It is perfectly appropriate to have a baseline and enforce
some multiple of the baseline with a policer.

People who say this is the wrong thing to do are not running a network
of significant size, end of story.

CB


> Chris Laffin wrote the following on 2/23/2014 8:58 AM:
>
>> Ive talked to some major peering exchanges and they refuse to take any
>> action. Possibly if the requests come from many peering participants it will
>> be taken more seriously?
>>
>>> On Feb 22, 2014, at 19:23, "Peter Phaal" <peter.phaal at gmail.com> wrote:
>>>
>>> Brocade demonstrated how peering exchanges can selectively filter
>>> large NTP reflection flows using the sFlow monitoring and hybrid port
>>> OpenFlow capabilities of their MLXe switches at last week's Network
>>> Field Day event.
>>>
>>>
>>> http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_1986.html
>>>
>>>> On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin <claffin at peer1.com> wrote:
>>>> Has anyone talked about policing ntp everywhere. Normal traffic levels
>>>> are extremely low but the ddos traffic is very high. It would be really cool
>>>> if peering exchanges could police ntp on their connected members.
>>>>
>>>>> On Feb 22, 2014, at 8:05, "Paul Ferguson" <fergdawgster at mykolab.com>
>>>>> wrote:
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA256
>>>>>
>>>>>>> On 2/22/2014 7:06 AM, Nick Hilliard wrote:
>>>>>>>
>>>>>>> On 22/02/2014 09:07, Cb B wrote:
>>>>>>> Summary IETF response:  The problem i described is already solved
>>>>>>> by bcp38, nothing to see here, carry on with UDP
>>>>>>
>>>>>> udp is here to stay.  Denying this is no more useful than trying to
>>>>>> push the tide back with a teaspoon.
>>>>>
>>>>> Yes, udp is here to stay, and I quote Randy Bush on this, "I encourage
>>>>> my competitors to block udp."  :-p
>>>>>
>>>>> - - ferg
>>>>>
>>>>>
>>>>> - --
>>>>> Paul Ferguson
>>>>> VP Threat Intelligence, IID
>>>>> PGP Public Key ID: 0x54DC85B2
>>>>>
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v2.0.22 (MingW32)
>>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>>
>>>>> iF4EAREIAAYFAlMIynoACgkQKJasdVTchbJsqQD/ZVz5vYaIAEv/z2kbU6kEM+KS
>>>>> OQx2XcSkU7r02wNDytoBANVkgZQalF40vhQED+6KyKv7xL1VfxQg1W8T4drh+6/M
>>>>> =FTxg
>>>>> -----END PGP SIGNATURE-----
>
>
>



More information about the NANOG mailing list