nanog mailing list archives
Re: Filter NTP traffic by packet size?
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Fri, 21 Feb 2014 02:55:06 +0000
On Feb 21, 2014, at 3:41 AM, Edward Roels <edwardroels () gmail com> wrote:
From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6 are typical for a client to successfully synchronize to an NTP server.
Correct. 90 bytes = 76 bytes + Ethernet framing. Filtering out packets this size from UDP/anything to UDP/123 allows time-sync requests and responses to work, but squelches both the level-6/-7 commands used to trigger amplification as well as amplified attack traffic. Operators are using this size-based filtering to effect without breaking the world. Be sure to pilot this first, and understand whether packet-size classification on your hardware of choice includes framing or not. Also, note that this filtering should be utilized to mitigate attacks, not as a permanent policy. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Current thread:
- Re: Filter on IXP, (continued)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter on IXP Randy Bush (Feb 28)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter on IXP Nick Hilliard (Feb 28)
- Re: Filter on IXP Patrick W. Gilmore (Feb 28)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter NTP traffic by packet size? Saku Ytti (Feb 22)
- Re: Filter NTP traffic by packet size? James R Cutler (Feb 20)
- Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)
- Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)
- Re: Filter NTP traffic by packet size? Harlan Stenn (Feb 21)
- Re: Filter NTP traffic by packet size? Dobbins, Roland (Feb 20)