On Feb 25, 2014, at 6:19 PM, Joel van Velden
Forgive me for missing the obvious here, but isn't the answer to drop packets emitting from customers on UDP/123 above a certain rate limit?
IMHO, the obvious solution is to block ntp packets which aren't 76 bytes in length towards either attack targets or to/from ntpds being abused, because source-based QoS isn't that commonplace, plus per-source numbers can be relatively (*relatively*) low compared to the attack aggregate.
This approach has been used with considerable success over the last week-and-a-half, FWIW.
-----------------------------------------------------------------------
Roland Dobbins