Yes, we still see lots of UDP amplification attacks using NTP monlist. We use
a filter to block UDP src 123 packets of 468 bytes in length (monlist reply
with the max 6 IPs).
-Rich
On 3/17/20, 8:55 AM, "NANOG on behalf of Jared Mauch" <nanog-boun...@nanog.org
on behalf of ja...@puck.nether.net> wrote:
I’m curious what people are seeing these days on the UDP/123 policers in
their networks.
I know while I was at NTT we rolled some out, and there are a number of
variants that have occurred over the past 6-7 years. I’ve heard from people at
the NTP Pool as well as having observed some issues with NTP at Akamai and time
sync from time to time.
Are you still seeing a lot of NTP attacks in your flows these days?
Should we be looking to remove these, similar to how we did for SQL/Slammer
after a time?
- Jared
E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended solely for
the addressee(s) and may contain confidential and/or legally privileged
information. If you are not the intended recipient of this message or if this
message has been addressed to you in error, please immediately alert the sender
by reply e-mail and then delete this message and any attachments. If you are
not the intended recipient, you are notified that any use, dissemination,
distribution, copying, or storage of this message or any attachment is strictly
prohibited.
