Re: [nznog] Open NTP servers in New Zealand.

On 25 Feb 2014, at 5:32, Dobbins, Roland wrote:

On Feb 25, 2014, at 6:19 PM, Joel van Velden wrote:

...

Forgive me for missing the obvious here, but isn't the answer to drop packets emitting from customers on UDP/123 above a certain rate limit?

IMHO, the obvious solution is to block ntp packets which aren't 76 bytes in length towards either attack targets or to/from ntpds being abused, because source-based QoS isn't that commonplace, plus per-source numbers can be relatively (*relatively*) low compared to the attack aggregate.

This approach has been used with considerable success over the last week-and-a-half, FWIW.

It doesn’t do great things for the long-term development of NTP as a protocol, though. I understand the need to put out flames during a big fire, but short-term fixes that don’t cause immediate damage have a habit of sticking around. Joe