To hijack this a bit (before the BCP38 arguments start): is there any
way for us as a service provider to ensure that our NTP servers are
returned to clients connecting from our ASN? Is this something that
makes sense?
We run multiple NTP servers, but we have no way of ensuring clients are
explicitly configured to connect to them (short of hijacking recursive
DNS, which is not something we want to do). While I wouldn't expect to
be able to override all the provided NTP servers, it would be nice if we
could at least ensure everyone on our network was using one of our NTP
servers (maybe just have say 2.pool always redirect to an ISP provided
one, if available?).
We already have similar functionality for Debian/Ubuntu mirrors, so this
wouldn't be something that's completely unheard of. It's getting to the
point where we can't guarantee connectivity to remote NTP servers.
Being able to ensure there's at least one sane time source available to
our customers would be good.
On 3/16/2014 8:16 PM, AlbyVA wrote:
Has anybody else noticed the rapid decline in NTP Pool servers over the
last couple of months?
Just a few days ago I found out that my VPN tunnel provider (Reliable
Hosting) made a business
decision to block Port 123 as their way of mitigating NTP Reflection
Attacks. I suggested to their
tech guys they should have just policed port 123 traffic and dropped
anything that was around
400/bytes or larger. But I'm sure that recommendation will fall on deaf
ears.
In any case, looking at the Global pool servers (
http://www.pool.ntp.org/zone) there has been a 10%
decline over the last 180 days. 50% of that being in the last 60 days. It
just appears that excessive
actions are being taken against NTP traffic across the board. Word needs to
go out for providers to
slow down with the heavy hand of outright port blocking (if that is what's
really going on). I'm just using
my own encounters as a window on what might be a larger issue underway.
-Alby
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
