[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Filter NTP traffic by packet size?

Subject: Filter NTP traffic by packet size?
From: rps at maine.edu (Ray Soucy)
Date: Mon, 24 Feb 2014 09:23:30 -0500
In-reply-to: <m27g8le4a2.wl%[email protected]>
References: <CAPpGzHFQoqqB6SKP1c1nX=LX9=C7djhi5szwN1trxE8bVMNJDg@mail.gmail.com> <[email protected]> <[email protected]> <CABSP1OfetOSRO0wrOdCWtAkOhnk0DJ00F=rDYn9bw+kDNrh8sg@mail.gmail.com> <CAD6AjGTfkjPJWQQpqvaUbiuOikWG=LEnw1o0=gaOm4_eUBGwNA@mail.gmail.com> <CABSP1Of35gXMLN4qJ0KuhHL9=8QuLMCBoZvFTpfM3aGs2BkHEg@mail.gmail.com> <CAD6AjGS_-uKWeesQKHt=PE=ynvHvyCVsODxatu4haVcHYkBd+g@mail.gmail.com> <[email protected]> <[email protected]> <CAD6AjGTvnOzp0c171UdFStF6HQaeogGCu=-ReGWNLOo7vSpx8g@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <m27g8le4a2.wl%[email protected]>

We have had pretty good success in identifying offenders with simple
monitoring flow data for NTP flows destined for our address space with
packet counts higher than 100; we disable them and notify to correct
the configuration on the host.  Granted we only service about 1,000
different customers.

In cases where a large amount of incoming traffic was generated, we
have been able to temporarily blackhole offenders to not saturate
smaller downstream connections until traffic levels die down;
unfortunately it takes a few days for that to happen, and many service
providers outside the US don't seem to be very responsive to their
published abuse address.

I prefer targeted, temporary, and communicated filtering for actual
incidents over blanket filtering for potential incidents.

On Sun, Feb 23, 2014 at 7:35 PM, Randy Bush <randy at psg.com> wrote:
>> Ive talked to some major peering exchanges and they refuse to take any
>> action. Possibly if the requests come from many peering participants
>> it will be taken more seriously?
>
> i have talked to fiber providers and they have refused to take action.
> perhaps if requests came from hundreds of the unclued zombies they would
> take it seriously.
>
> randy
>

-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

References:
- Filter NTP traffic by packet size?
  - From: edwardroels at gmail.com (Edward Roels)
- Filter NTP traffic by packet size?
  - From: jw at nuclearfallout.net (John Weekes)
- Filter NTP traffic by packet size?
  - From: jared at puck.nether.net (Jared Mauch)
- Filter NTP traffic by packet size?
  - From: damian at google.com (Damian Menscher)
- Filter NTP traffic by packet size?
  - From: cb.list6 at gmail.com (Cb B)
- Filter NTP traffic by packet size?
  - From: damian at google.com (Damian Menscher)
- Filter NTP traffic by packet size?
  - From: cb.list6 at gmail.com (Cb B)
- Filter NTP traffic by packet size?
  - From: saku at ytti.fi (Saku Ytti)
- Filter NTP traffic by packet size?
  - From: cabo at tzi.org (Carsten Bormann)
- Filter NTP traffic by packet size?
  - From: cb.list6 at gmail.com (Cb B)
- Filter NTP traffic by packet size?
  - From: nick at foobar.org (Nick Hilliard)
- Filter NTP traffic by packet size?
  - From: fergdawgster at mykolab.com (Paul Ferguson)
- Filter NTP traffic by packet size?
  - From: claffin at peer1.com (Chris Laffin)
- Filter NTP traffic by packet size?
  - From: claffin at peer1.com (Chris Laffin)
- Filter NTP traffic by packet size?
  - From: randy at psg.com (Randy Bush)

Prev by Date: out of band management gear
Next by Date: out of band management gear
Previous by thread: Filter NTP traffic by packet size?
Next by thread: Filter NTP traffic by packet size?
Index(es):
- Date
- Thread