Filter NTP traffic by packet size?

Wed Feb 26 12:56:04 UTC 2014

On Feb 25, 2014, at 12:22 PM, Staudinger, Malcolm <mstaudinger at corp.earthlink.com> wrote:

> Why wouldn't you just block chargen entirely? Is it actually still being used these days for anything legitimate?
> 

More politely stated, it’s not the responsibility of the operator to decide what belongs on the network and what doesn’t.  Users can run any services that’s not illegal or even reuse ports for other applications.  That being said commonly exploited ports (TCP 25 for example) are often blocked.  This is usually done to block or protect an application though not to single out a particular port number.

> Malcolm Staudinger
> Information Security Analyst | EIS
> EarthLink
> 
> E: mstaudinger at corp.earthlink.com
> 
> -----Original Message-----
> From: Blake Hudson [mailto:blake at ispn.net] 
> Sent: Tuesday, February 25, 2014 8:58 AM
> To: nanog at nanog.org
> Subject: Re: Filter NTP traffic by packet size?
> 
> I talked to one of our upstream IP transit providers and was able to negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP port within our aggregate policer. As mentioned, the legitimate traffic levels of these services are near 0. We gave each service many times the amount to satisfy subscribers, but not enough to overwhelm network links during an attack.
> 
> --Blake
> 
> Chris Laffin wrote the following on 2/23/2014 8:58 AM:
>> Ive talked to some major peering exchanges and they refuse to take any action. Possibly if the requests come from many peering participants it will be taken more seriously?
>> 
>>> On Feb 22, 2014, at 19:23, "Peter Phaal" <peter.phaal at gmail.com> wrote:
>>> 
>>> Brocade demonstrated how peering exchanges can selectively filter 
>>> large NTP reflection flows using the sFlow monitoring and hybrid port 
>>> OpenFlow capabilities of their MLXe switches at last week's Network 
>>> Field Day event.
>>> 
>>> http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_19
>>> 86.html
>>> 
>>>> On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin <claffin at peer1.com> wrote:
>>>> Has anyone talked about policing ntp everywhere. Normal traffic levels are extremely low but the ddos traffic is very high. It would be really cool if peering exchanges could police ntp on their connected members.
>>>> 
>>>>> On Feb 22, 2014, at 8:05, "Paul Ferguson" <fergdawgster at mykolab.com> wrote:
>>>>> 
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA256
>>>>> 
>>>>>>> On 2/22/2014 7:06 AM, Nick Hilliard wrote:
>>>>>>> 
>>>>>>> On 22/02/2014 09:07, Cb B wrote:
>>>>>>> Summary IETF response:  The problem i described is already solved 
>>>>>>> by bcp38, nothing to see here, carry on with UDP
>>>>>> udp is here to stay.  Denying this is no more useful than trying 
>>>>>> to push the tide back with a teaspoon.
>>>>> Yes, udp is here to stay, and I quote Randy Bush on this, "I 
>>>>> encourage my competitors to block udp."  :-p
>>>>> 
>>>>> - - ferg
>>>>> 
>>>>> 
>>>>> - --
>>>>> Paul Ferguson
>>>>> VP Threat Intelligence, IID
>>>>> PGP Public Key ID: 0x54DC85B2
>>>>> 
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v2.0.22 (MingW32)
>>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>> 
>>>>> iF4EAREIAAYFAlMIynoACgkQKJasdVTchbJsqQD/ZVz5vYaIAEv/z2kbU6kEM+KS
>>>>> OQx2XcSkU7r02wNDytoBANVkgZQalF40vhQED+6KyKv7xL1VfxQg1W8T4drh+6/M
>>>>> =FTxg
>>>>> -----END PGP SIGNATURE-----
> 
> 