[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UDP/123 policers & status
On Wed, Mar 18, 2020 at 8:46 AM Steven Sommars <stevesommarsntp at gmail.com>
wrote:
> The various NTP filters (rate limits, packet size limits) are negatively
> affecting the NTP Pool, the new secure NTP protocol (Network Time Security)
> and other clients. NTP filters were deployed several years ago to solve
> serious DDoS issues, I'm not second guessing those decisions. Changing the
> filters to instead block NTP mode 7, which cover monlist and other
> diagnostics, would improve NTP usability.
>
> http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf
>
>
Yeh, not changing ipv4 filters, Sorry pool. Burned once, twice shy.
There is no simple way to do router filters based on ntp app modes.
I suggest people be aware of time.google.com
And time.cloudflare.com
CB
> On Tue, Mar 17, 2020 at 11:17 AM Mark Tinka <mark.tinka at seacom.mu> wrote:
>
>>
>>
>> On 17/Mar/20 18:05, Ca By wrote:
>>
>>
>>
>>
>> +1 , still see, still have policers
>>
>> Fyi, ipv6 ntp / udp tends to have a much higher success rate getting
>> through cgn / policers / ...
>>
>>
>> For those that have come in as attacks toward customers, we've "scrubbed"
>> them where there has been interest.
>>
>> Mark.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200318/214c4520/attachment.html>