nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP/123 policers & status

From: Ca By <cb.list6 () gmail com>
Date: Tue, 17 Mar 2020 09:05:37 -0700
On Tue, Mar 17, 2020 at 9:03 AM Compton, Rich A <Rich.Compton () charter com>
wrote:


Yes, we still see lots of UDP amplification attacks using NTP monlist.  We
use a filter to block UDP src 123 packets of 468 bytes in length (monlist
reply with the max 6 IPs).

-Rich



+1 , still see, still have policers

Fyi, ipv6 ntp / udp tends to have a much higher success rate getting
through cgn / policers / ...





On 3/17/20, 8:55 AM, "NANOG on behalf of Jared Mauch" <
nanog-bounces () nanog org on behalf of jared () puck nether net> wrote:

    I’m curious what people are seeing these days on the UDP/123 policers
in their networks.

    I know while I was at NTT we rolled some out, and there are a number
of variants that have occurred over the past 6-7 years.  I’ve heard from
people at the NTP Pool as well as having observed some issues with NTP at
Akamai and time sync from time to time.

    Are you still seeing a lot of NTP attacks in your flows these days?

    Should we be looking to remove these, similar to how we did for
SQL/Slammer after a time?

    - Jared

E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended
solely for the addressee(s) and may contain confidential and/or legally
privileged information. If you are not the intended recipient of this
message or if this message has been addressed to you in error, please
immediately alert the sender by reply e-mail and then delete this message
and any attachments. If you are not the intended recipient, you are
notified that any use, dissemination, distribution, copying, or storage of
this message or any attachment is strictly prohibited.
Previous By Date Next
Previous By Thread Next

Current thread: