UDP/123 policers & status

[damian at google.com (Damian Menscher)]

On Wed, Mar 18, 2020 at 8:45 AM Steven Sommars <stevesommarsntp at gmail.com>
wrote:

> The various NTP filters (rate limits, packet size limits) are negatively
> affecting the NTP Pool, the new secure NTP protocol (Network Time Security)
> and other clients.  NTP filters were deployed several years ago to solve
> serious DDoS issues, I'm not second guessing those decisions.  Changing the
> filters to instead block NTP mode 7, which cover monlist and other
> diagnostics, would improve NTP usability.
>
> http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf
>
>

I've advocated a throttle (not a hard block) on udp/123 packets with 468
Bytes/packet (the size of a full monlist response).  In your paper you
mention NTS extensions can be 200+ bytes.  How large do those packets
typically get, in practice?  And how significant is packet loss for them
(if there's high packet loss during the occasional attack, does that pose a
problem)?

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200318/1c1f9aed/attachment.html>