[169324] in North American Network Operators' Group
Re: Filter NTP traffic by packet size?
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Thu Feb 20 21:55:56 2014
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Fri, 21 Feb 2014 02:55:06 +0000
In-Reply-To: <CAPpGzHFQoqqB6SKP1c1nX=LX9=C7djhi5szwN1trxE8bVMNJDg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 21, 2014, at 3:41 AM, Edward Roels <edwardroels@gmail.com> wrote:
> From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6 a=
re typical for a client to successfully synchronize to an NTP server.
Correct. 90 bytes =3D 76 bytes + Ethernet framing.
Filtering out packets this size from UDP/anything to UDP/123 allows time-sy=
nc requests and responses to work, but squelches both the level-6/-7 comman=
ds used to trigger amplification as well as amplified attack traffic.
Operators are using this size-based filtering to effect without breaking th=
e world. =20
Be sure to pilot this first, and understand whether packet-size classificat=
ion on your hardware of choice includes framing or not.
Also, note that this filtering should be utilized to mitigate attacks, not =
as a permanent policy. =20
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
