[169417] in North American Network Operators' Group
Re: Filter NTP traffic by packet size?
daemon@ATHENA.MIT.EDU (Ray Soucy)
Mon Feb 24 09:23:56 2014
In-Reply-To: <m27g8le4a2.wl%randy@psg.com>
Date: Mon, 24 Feb 2014 09:23:30 -0500
From: Ray Soucy <rps@maine.edu>
To: Randy Bush <randy@psg.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We have had pretty good success in identifying offenders with simple
monitoring flow data for NTP flows destined for our address space with
packet counts higher than 100; we disable them and notify to correct
the configuration on the host. Granted we only service about 1,000
different customers.
In cases where a large amount of incoming traffic was generated, we
have been able to temporarily blackhole offenders to not saturate
smaller downstream connections until traffic levels die down;
unfortunately it takes a few days for that to happen, and many service
providers outside the US don't seem to be very responsive to their
published abuse address.
I prefer targeted, temporary, and communicated filtering for actual
incidents over blanket filtering for potential incidents.
On Sun, Feb 23, 2014 at 7:35 PM, Randy Bush <randy@psg.com> wrote:
>> Ive talked to some major peering exchanges and they refuse to take any
>> action. Possibly if the requests come from many peering participants
>> it will be taken more seriously?
>
> i have talked to fiber providers and they have refused to take action.
> perhaps if requests came from hundreds of the unclued zombies they would
> take it seriously.
>
> randy
>
--
Ray Patrick Soucy
Network Engineer
University of Maine System
T: 207-561-3526
F: 207-561-3531
MaineREN, Maine's Research and Education Network
www.maineren.net
