On Mon, Feb 3, 2014 at 7:40 PM, Glen Turner <g...@gdt.id.au> wrote: > > On 4 Feb 2014, at 9:28 am, Christopher Morrow <morrowc.li...@gmail.com> wrote: > >> wait, so the whole of the thread is about stopping participants in the >> attack, and you're suggesting that removing/changing end-system >> switch/routing gear and doing something more complex than: >> deny udp any 123 any >> deny udp any 123 any 123 >> permit ip any any > > Which just pushes NTP to some other port, making control harder. We've > already pushed all 'interesting' traffic to port 80 on TCP, which has made > traffic control very expensive. Let's not repeat that history.
I think in the case of 'oh crap, customer is getting 100gbps of ntp...' the above (a third party notes that the 2nd line is redundant) is a fine answer, till the flood abates. I wouldn't recommend wholesale blocking of anything across an ISP edge, but for the specific case paul was getting at: "ntp reflection attack target is your customer" ... it's going to solve the problem.