On Feb 12, 2014, at 6:49 AM, Don Stokes
so I'm starting to wonder if redirecting customer NTP traffic to local NTP servers, and dropping all unauthorised inbound NTP queries at the perimeter isn't completely bad idea.
The problem is that while it can make sense for access and IDC operators to run their own recursive DNS service and by default (with an opt-out proviso) to restrict recursive DNS for access & IDC customers to their own recursive DNS service, ntp is a different kettle of fish. Access to a high number of diverse ntp sources is desirable.
The fact that many OSes come with ntp set to symmetric mode (i.e., source & dest UDP/123) is certainly annoying. The good news is that it's pretty easy to identify misconfigured ntpds which are abused for ntp reflection/amplification DDoS attacks:
http://www.openntpproject.org/
It's pretty easy to scan your own netblocks, and those of your customers, to identify misconfigured ntpds which an be abused. Those individual ntpds can be S/RTBHed or ACLed until they're remediated, which is much more preferable than wholesale ntp blockage.
-----------------------------------------------------------------------
Roland Dobbins