[168678] in North American Network Operators' Group
Re: TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Mon Feb 3 04:53:17 2014
Date: Mon, 3 Feb 2014 10:52:29 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Matthew Petach <mpetach@netflight.com>
In-Reply-To: <CAEmG1=pmcBJAG1-fT2tBi+9C6v2Mcq-HcHkSaxxQjavahHwi+A@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Feb 02, 2014 at 02:49:49PM -0800,
Matthew Petach <mpetach@netflight.com> wrote
a message of 49 lines which said:
> If NTP responded to a single query with a single equivalently sized
> response, its effectiveness as a DDoS attack would be zero; with
> zero amplification, the volume of attack traffic would be exactly
> equivalent to the volume of spoofed traffic the originator could
> send out in the first place.
It is a bit more complicated. Reflection with amplification is
certainly much less useful for an attacker but it has still some
advantages: the attack traffic coming to the victim's AS will be
distributed differently (entering via different peers), making
tracking the attacker through Netflow/Ipfix more difficult.
