[168664] in North American Network Operators' Group
Re: TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sun Feb 2 22:58:50 2014
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
Date: Mon, 3 Feb 2014 03:58:29 +0000
In-Reply-To: <CF1578A6.1E93E%geraint@koding.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 3, 2014, at 10:49 AM, Geraint Jones <geraint@koding.com> wrote:
> We block all outbound UDP for our ~200,000 Users for this very reason
Actually, you could've (and should've) been far more selective in what you =
filtered via ACLs, IMHO.
What about your users who play online games like BF4?
I'm a big believer in using ACLs to intelligently preclude reflection/ampli=
fication abuse, but wholesale filtering of all UDP takes matters too far, I=
MHO.
My suggestion would be to implement antispoofing on the southward interface=
s of the customer aggregation edge (if you can't implement it via mechanism=
s such as cable ip source verify even further southward), and then implemen=
t a default ingress ACL on the coreward interfaces of the customer aggregat=
ion gateways to block inbound UDP destined to ntp, chargen, DNS, and SNMP p=
orts only.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
