UDP/123 policers & status

[cb.list6 at gmail.com (Ca By)]

On Tue, Mar 17, 2020 at 9:03 AM Compton, Rich A <Rich.Compton at charter.com>
wrote:

> Yes, we still see lots of UDP amplification attacks using NTP monlist.  We
> use a filter to block UDP src 123 packets of 468 bytes in length (monlist
> reply with the max 6 IPs).
>
> -Rich


+1 , still see, still have policers

Fyi, ipv6 ntp / udp tends to have a much higher success rate getting
through cgn / policers / ...



>
> On 3/17/20, 8:55 AM, "NANOG on behalf of Jared Mauch" <
> nanog-bounces at nanog.org on behalf of jared at puck.nether.net> wrote:
>
>     Iâ??m curious what people are seeing these days on the UDP/123 policers
> in their networks.
>
>     I know while I was at NTT we rolled some out, and there are a number
> of variants that have occurred over the past 6-7 years.  Iâ??ve heard from
> people at the NTP Pool as well as having observed some issues with NTP at
> Akamai and time sync from time to time.
>
>     Are you still seeing a lot of NTP attacks in your flows these days?
>
>     Should we be looking to remove these, similar to how we did for
> SQL/Slammer after a time?
>
>     - Jared
>
> E-MAIL CONFIDENTIALITY NOTICE:
> The contents of this e-mail message and any attachments are intended
> solely for the addressee(s) and may contain confidential and/or legally
> privileged information. If you are not the intended recipient of this
> message or if this message has been addressed to you in error, please
> immediately alert the sender by reply e-mail and then delete this message
> and any attachments. If you are not the intended recipient, you are
> notified that any use, dissemination, distribution, copying, or storage of
> this message or any attachment is strictly prohibited.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200317/50124106/attachment.html>