UDP/123 policers & status

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, we still see lots of UDP amplification attacks using NTP monlist.  We use a filter to block UDP src 123 packets of 468 bytes in length (monlist reply with the max 6 IPs).

-Rich

On 3/17/20, 8:55 AM, "NANOG on behalf of Jared Mauch" <nanog-bounces at nanog.org on behalf of jared at puck.nether.net> wrote:

    I’m curious what people are seeing these days on the UDP/123 policers in their networks.
    
    I know while I was at NTT we rolled some out, and there are a number of variants that have occurred over the past 6-7 years.  I’ve heard from people at the NTP Pool as well as having observed some issues with NTP at Akamai and time sync from time to time.
    
    Are you still seeing a lot of NTP attacks in your flows these days?
    
    Should we be looking to remove these, similar to how we did for SQL/Slammer after a time?
    
    - Jared

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]