UDP/123 policers & status

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The various NTP filters (rate limits, packet size limits) are negatively
affecting the NTP Pool, the new secure NTP protocol (Network Time Security)
and other clients.  NTP filters were deployed several years ago to solve
serious DDoS issues, I'm not second guessing those decisions.  Changing the
filters to instead block NTP mode 7, which cover monlist and other
diagnostics, would improve NTP usability.

http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf

On Tue, Mar 17, 2020 at 11:17 AM Mark Tinka <mark.tinka at seacom.mu> wrote:

>
>
> On 17/Mar/20 18:05, Ca By wrote:
>
>
>
>
> +1 , still see, still have policers
>
> Fyi, ipv6 ntp / udp tends to have a much higher success rate getting
> through cgn / policers / ...
>
>
> For those that have come in as attacks toward customers, we've "scrubbed"
> them where there has been interest.
>
> Mark.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200317/0a7da584/attachment.html>

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]