nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filter NTP traffic by packet size?

From: Ray Soucy <rps () maine edu>
Date: Mon, 24 Feb 2014 09:23:30 -0500
We have had pretty good success in identifying offenders with simple
monitoring flow data for NTP flows destined for our address space with
packet counts higher than 100; we disable them and notify to correct
the configuration on the host.  Granted we only service about 1,000
different customers.

In cases where a large amount of incoming traffic was generated, we
have been able to temporarily blackhole offenders to not saturate
smaller downstream connections until traffic levels die down;
unfortunately it takes a few days for that to happen, and many service
providers outside the US don't seem to be very responsive to their
published abuse address.

I prefer targeted, temporary, and communicated filtering for actual
incidents over blanket filtering for potential incidents.


On Sun, Feb 23, 2014 at 7:35 PM, Randy Bush <randy () psg com> wrote:

Ive talked to some major peering exchanges and they refuse to take any
action. Possibly if the requests come from many peering participants
it will be taken more seriously?


i have talked to fiber providers and they have refused to take action.
perhaps if requests came from hundreds of the unclued zombies they would
take it seriously.

randy





-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net
Previous By Date Next
Previous By Thread Next

Current thread: