[169423] in North American Network Operators' Group
Re: Filter NTP traffic by packet size?
daemon@ATHENA.MIT.EDU (sjt5atra)
Mon Feb 24 22:01:36 2014
From: sjt5atra <sjt5atra@gmail.com>
Date: Sun, 23 Feb 2014 18:38:52 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <CA7E867D448D8B489EFF2E97E266038A1DE7281C@RA-EX01.raprinting.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> On Feb 23, 2014, at 4:39 PM, James Braunegg <james.braunegg@micron21.com> w=
rote:
>=20
> Dear All
>=20
> I released a bit of a blog article last week about filtering NTP request t=
raffic via packet size which might be of interest !
>=20
> So far I known of an unknown tool makes a default request packet of 50 byt=
es in size
> ntpdos.py makes a default request packet of 60 bytes in size
> ntp_monlist.py makes a default request packet of 234 bytes in size
> monlist from ntpdc makes a default request packet of 234 bytes in size
>=20
> In contrast a normal NTP request for a time sync is about 90 bytes in size=
>=20
> More information and some graphs can be found here http://www.micron21.co=
m/ddos-ntp.php
>=20
> Kindest Regards
>=20
> =20
> James Braunegg
Do these .py's do anything else different to the query packets than "normal"=
ntp clients? (254TTL instead of the more common 63TTL for "normal" clients.=
)=
