UDP/123 policers & status

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 27 Mar 2020, at 18:54, Saku Ytti <saku at ytti.fi> wrote:
> 
> On Fri, 27 Mar 2020 at 19:48, Ragnar Sundblad <ragge at kth.se> wrote:
> 
>> Is this really what the ISP community wants - to kill off port 123,
>> and force NTP to move to random ports?
> 
> Make NST attenuation vector, so that reply is guaranteed to be
> significantly smaller than request, and by standard drop small
> requests.

The NTP replies on port 123 are of the same size as the request, or
smaller on error.

If filtering on request/reply (or “mode” in NTP lingo), you could filter
out the control packets which have the amplification problems in very old
configurations.
You could allow request and reply, mode 3 and 4, but disallow control
packets, mode 6.
This kind of filtering may not be possible in all equipment though.

Another option is to rate limit the traffic, even though that is not
entirely without problems either - public servers are supposed to get
a lot more traffic than a typical client generates.

I know that ISP:s have been hunting down machine with other services
that could be used for e.g. amplification or spam, like SMTP relays,
DNS resolvers, HTTP proxies, and similar.
This would be fully possible also with these bad NTP configurations
that have not been updated in many many years.
I think only the ISP:s are in a position to both find out who they
are, and to force them to be fixed.

Ragnar

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]