On Feb 3, 2014, at 1:54 PM, Michael DeMan <na...@deman.com> wrote: > I certainly would not want to provide as part the AUP (as seller or buyer), a > policy that fundamentals like NTP are 'blocked' to customers. Seems like too > much of a slippery slope for my taste.
The idea is to block traffic to misconfigured ntpds on broadband customer access networks, not to limit their choice of which ntp servers to use. > In regards to anti-spoofing measures - I think there a couple of vectors > about the latest NTP attack where more rigorous client-side anti-spoofing > could help but will not solve it overall. Rigorous antispoofing would solve the problem of all reflection/amplification DDoS attacks. My hunch is that most spoofed traffic involved in these attacks actually emanates from compromised/abused servers on IDC networks (including so-called 'bulletproof' miscreant-friendly networks), but I've no data to support that, yet. > Trying to be fair and practical (from my perspective) - it is a lot easier > and quicker to patch/workaround IPv4 problems and address proper solutions > via IPv6 and associated RFCs? There's nothing in IPv6 which makes any difference. The ultimate solution is antispoofing at the customer edge. ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton