[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Filter NTP traffic by packet size?

Subject: Filter NTP traffic by packet size?
From: bedard.phil at gmail.com (Phil Bedard)
Date: Thu, 20 Feb 2014 19:37:13 -0500
In-reply-to: <CAPpGzHFQoqqB6SKP1c1nX=LX9=C7djhi5szwN1trxE8bVMNJDg@mail.gmail.com>
References: <CAPpGzHFQoqqB6SKP1c1nX=LX9=C7djhi5szwN1trxE8bVMNJDg@mail.gmail.com>

On 2/20/14, 3:41 PM, "Edward Roels" <edwardroels at gmail.com> wrote:

>Curious if anyone else thinks filtering out NTP packets above a certain
>packet size is a good or terrible idea.
>
>From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6
>are
>typical for a client to successfully synchronize to an NTP server.
>
>If I query a server for it's list of peers (ntpq -np <ip>) I've seen
>packets as large as 522 bytes in a single packet in response to a 54 byte
>query.  I'll admit I'm not 100% clear of the what is happening
>protocol-wise when I perform this query.  I see there are multiple packets
>back forth between me and the server depending on the number of peers it
>has?
>
>
>Would I be breaking something important if I started to filter NTP packets
>> 200 bytes into my network?

We are filtering a range of packet sizes for UDP/123 at the edge and it
has definitely helped thwart some of the NTP attacks.  I hate to do
blanket ACLs blocking traffic but multi-Gbps of attack traffic (not
counting the reflected traffic) is hard to ignore and it's worth the risk
of blocking a minute amount of legitimate traffic.

Phil

References:
- Filter NTP traffic by packet size?
  - From: edwardroels at gmail.com (Edward Roels)

Prev by Date: NTP DRDos Blog post
Next by Date: NTP DRDos Blog post
Previous by thread: Filter NTP traffic by packet size?
Next by thread: Filter NTP traffic by packet size?
Index(es):
- Date
- Thread