Re: TWC (AS11351) blocking all NTP?

[Michael DeMan <nanog () deman com>]

The recently publicized mechanism to leverage NTP servers for amplified DoS attacks is seriously effective.
I had a friend who had a local ISP affected by this Thursday and also another case where just two asterisk servers 
saturated a 100mbps link to the point of unusability.
Once more - this exploit is seriously effective at using bandwidth by reflection.

From a provider point of view, given the choices between contacting the end-users vs. mitigating the problem, if I were 
in TW position if I was unable to immediately contact the numerous downstream customers that were affected by this, I 
would take the option to block NTP on a case-by-case basis (perhaps even taking a broad brush) rather than allow it to 
continue and cause disruptions elsewhere.


- Mike

On Feb 2, 2014, at 12:44 PM, John Levine <johnl () iecc com> wrote:

> In article <20140202163313.GF24634 () hijacked us> you write:
> > The provider has kindly acknowledged that there is an issue, and are
> > working on a resolution.  Heads up, it may be more than just my region.
>
> I'm a Time-Warner cable customer in the Syracuse region, and both of
> the NTP servers on my home LAN are happily syncing with outside peers.
>
> My real servers are hosted in Ithaca, with T-W being one of the
> upstreams and they're also OK.  They were recruited into an NTP DDoS
> last month (while I was at a meeting working on anti-DDoS best
> practice, which was a little embarassing) but they're upgraded and
> locked down now.
>
> R's,
> John