UDP/123 policers & status

Ca By cb.list6 at gmail.com
Wed Mar 18 15:57:32 UTC 2020


On Wed, Mar 18, 2020 at 8:46 AM Steven Sommars <stevesommarsntp at gmail.com>
wrote:

> The various NTP filters (rate limits, packet size limits) are negatively
> affecting the NTP Pool, the new secure NTP protocol (Network Time Security)
> and other clients.  NTP filters were deployed several years ago to solve
> serious DDoS issues, I'm not second guessing those decisions.  Changing the
> filters to instead block NTP mode 7, which cover monlist and other
> diagnostics, would improve NTP usability.
>
> http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf
>
>

Yeh, not changing ipv4 filters, Sorry pool. Burned once, twice shy.

There is no simple way to do router filters based on ntp app modes.

I suggest people be aware of time.google.com

And  time.cloudflare.com

CB


> On Tue, Mar 17, 2020 at 11:17 AM Mark Tinka <mark.tinka at seacom.mu> wrote:
>
>>
>>
>> On 17/Mar/20 18:05, Ca By wrote:
>>
>>
>>
>>
>> +1 , still see, still have policers
>>
>> Fyi, ipv6 ntp / udp tends to have a much higher success rate getting
>> through cgn / policers / ...
>>
>>
>> For those that have come in as attacks toward customers, we've "scrubbed"
>> them where there has been interest.
>>
>> Mark.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200318/214c4520/attachment.html>


More information about the NANOG mailing list