[169329] in North American Network Operators' Group
Re: Filter NTP traffic by packet size?
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Fri Feb 21 00:24:56 2014
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Fri, 21 Feb 2014 05:24:00 +0000
In-Reply-To: <E1WGhuC-000MDl-IM@stenn.ntp.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 21, 2014, at 11:40 AM, Harlan Stenn <stenn@ntp.org> wrote:
> As a reality check, with this filtering in place does "ntptrace" still wo=
rk?
No, it will not.
In order to minimize overblocking of this nature, filtering of this nature =
should be used with the highest possible degree of granularity, and the min=
imal necessary scope. One way to accomplish this is to divert traffic towa=
rds destinations in question into a mitigation/center sinkhole, applying th=
is filtering on the coreward interfaces of the mitigation center/sinkhole g=
ateway (some re-injection mechanism such as GRE, VRF, selective filtering o=
f the diversion route announcements coupled w/PBR, etc. must be used to re-=
inject non-matching traffic towards the destinations in question) or via ot=
her mitigation mechanisms.
In emergencies, the concept of partial service recovery may dictate tempora=
ry filtering of coarser granularity in order to preserve overall network av=
ailability; we've run into situations in the past week-and-a-half where net=
works were experiencing severe strain due to the sheer volume of ntp reflec=
tion/amplification attack traffic, and it was necessary to start out with m=
ore general filtering, then work towards more specific filtering once the n=
etwork was stabilized.
But you raise a very important point which should be re-emphasized - genera=
l filtering of traffic is to be avoided whenever possible in order to avoid=
breaking applications/services. =20
However, the converse notion that emergency situations sometimes entail nec=
essary restrictions should also be taken into account. Operators should us=
e their best judgement as to the scope of any filtering, and should always =
pilot any proposed mitigation methodologies prior to wider deployment.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
