nanog mailing list archives
Re: Filter NTP traffic by packet size?
From: Phil Bedard <bedard.phil () gmail com>
Date: Thu, 20 Feb 2014 19:37:13 -0500
On 2/20/14, 3:41 PM, "Edward Roels" <edwardroels () gmail com> wrote:
Curious if anyone else thinks filtering out NTP packets above a certain packet size is a good or terrible idea. From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6 are typical for a client to successfully synchronize to an NTP server. If I query a server for it's list of peers (ntpq -np <ip>) I've seen packets as large as 522 bytes in a single packet in response to a 54 byte query. I'll admit I'm not 100% clear of the what is happening protocol-wise when I perform this query. I see there are multiple packets back forth between me and the server depending on the number of peers it has? Would I be breaking something important if I started to filter NTP packets200 bytes into my network?
We are filtering a range of packet sizes for UDP/123 at the edge and it has definitely helped thwart some of the NTP attacks. I hate to do blanket ACLs blocking traffic but multi-Gbps of attack traffic (not counting the reflected traffic) is hard to ignore and it's worth the risk of blocking a minute amount of legitimate traffic. Phil
Current thread:
- Re: Filter on IXP, (continued)
- Re: Filter on IXP Jay Ashworth (Feb 28)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter on IXP Randy Bush (Feb 28)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter on IXP Nick Hilliard (Feb 28)
- Re: Filter on IXP Patrick W. Gilmore (Feb 28)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter NTP traffic by packet size? Saku Ytti (Feb 22)
- Re: Filter NTP traffic by packet size? James R Cutler (Feb 20)
- Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)
- Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)
- Re: Filter NTP traffic by packet size? Harlan Stenn (Feb 21)
- Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)