Filter NTP traffic by packet size?
Jared Mauch
jared at puck.nether.net
Wed Feb 26 22:40:06 UTC 2014
On Feb 26, 2014, at 5:33 PM, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 26 Feb 2014 11:44:55 -0600, Brandon Galbraith said:
>
>> Blocking chargen at the edge doesn't seem to be outside of the realm of
>> possibilities.
>
> What systems are (a) still have chargen enabled and (b) common enough to make
> it a viable DDoS vector? Just wondering if I need to go around and find
> users of mine that need to be smacked around with a large trout....
First, if you didn't see this excellent paper, check it out:
http://www.internetsociety.org/doc/amplification-hell-revisiting-network-protocols-ddos-abuse
a) Yes - printers and other devices have it.
b) yes.
I only ran the scan once, but had ~130k devices respond.
http://chargenscan.org/chargenip2asn.txt
- Jared
More information about the NANOG
mailing list