Filter NTP traffic by packet size?

Jared Mauch jared at puck.nether.net
Wed Feb 26 22:40:06 UTC 2014


On Feb 26, 2014, at 5:33 PM, Valdis.Kletnieks at vt.edu wrote:

> On Wed, 26 Feb 2014 11:44:55 -0600, Brandon Galbraith said:
> 
>> Blocking chargen at the edge doesn't seem to be outside of the realm of
>> possibilities.
> 
> What systems are (a) still have chargen enabled and (b) common enough to make
> it a viable DDoS vector?  Just wondering if I need to go around and find
> users of mine that need to be smacked around with a large trout....

First, if you didn't see this excellent paper, check it out:

http://www.internetsociety.org/doc/amplification-hell-revisiting-network-protocols-ddos-abuse

a) Yes - printers and other devices have it.

b) yes.

I only ran the scan once, but had ~130k devices respond.

http://chargenscan.org/chargenip2asn.txt

- Jared




More information about the NANOG mailing list