On Tue, Mar 17, 2020 at 9:03 AM Compton, Rich A <rich.comp...@charter.com> wrote:
> Yes, we still see lots of UDP amplification attacks using NTP monlist. We > use a filter to block UDP src 123 packets of 468 bytes in length (monlist > reply with the max 6 IPs). > > -Rich +1 , still see, still have policers Fyi, ipv6 ntp / udp tends to have a much higher success rate getting through cgn / policers / ... > > On 3/17/20, 8:55 AM, "NANOG on behalf of Jared Mauch" < > nanog-boun...@nanog.org on behalf of ja...@puck.nether.net> wrote: > > I’m curious what people are seeing these days on the UDP/123 policers > in their networks. > > I know while I was at NTT we rolled some out, and there are a number > of variants that have occurred over the past 6-7 years. I’ve heard from > people at the NTP Pool as well as having observed some issues with NTP at > Akamai and time sync from time to time. > > Are you still seeing a lot of NTP attacks in your flows these days? > > Should we be looking to remove these, similar to how we did for > SQL/Slammer after a time? > > - Jared > > E-MAIL CONFIDENTIALITY NOTICE: > The contents of this e-mail message and any attachments are intended > solely for the addressee(s) and may contain confidential and/or legally > privileged information. If you are not the intended recipient of this > message or if this message has been addressed to you in error, please > immediately alert the sender by reply e-mail and then delete this message > and any attachments. If you are not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or storage of > this message or any attachment is strictly prohibited. >