Re: Filter NTP traffic by packet size?
I talked to one of our upstream IP transit providers and was able to negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP port within our aggregate policer. As mentioned, the legitimate traffic levels of these services are near 0. We gave each service many times the amount to satisfy subscribers, but not enough to overwhelm network links during an attack. --Blake Chris Laffin wrote the following on 2/23/2014 8:58 AM: Ive talked to some major peering exchanges and they refuse to take any action. Possibly if the requests come from many peering participants it will be taken more seriously? On Feb 22, 2014, at 19:23, Peter Phaal peter.ph...@gmail.com wrote: Brocade demonstrated how peering exchanges can selectively filter large NTP reflection flows using the sFlow monitoring and hybrid port OpenFlow capabilities of their MLXe switches at last week's Network Field Day event. http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_1986.html On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin claf...@peer1.com wrote: Has anyone talked about policing ntp everywhere. Normal traffic levels are extremely low but the ddos traffic is very high. It would be really cool if peering exchanges could police ntp on their connected members. On Feb 22, 2014, at 8:05, Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/22/2014 7:06 AM, Nick Hilliard wrote: On 22/02/2014 09:07, Cb B wrote: Summary IETF response: The problem i described is already solved by bcp38, nothing to see here, carry on with UDP udp is here to stay. Denying this is no more useful than trying to push the tide back with a teaspoon. Yes, udp is here to stay, and I quote Randy Bush on this, I encourage my competitors to block udp. :-p - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMIynoACgkQKJasdVTchbJsqQD/ZVz5vYaIAEv/z2kbU6kEM+KS OQx2XcSkU7r02wNDytoBANVkgZQalF40vhQED+6KyKv7xL1VfxQg1W8T4drh+6/M =FTxg -END PGP SIGNATURE-
RE: Filter NTP traffic by packet size?
Why wouldn't you just block chargen entirely? Is it actually still being used these days for anything legitimate? Malcolm Staudinger Information Security Analyst | EIS EarthLink E: mstaudin...@corp.earthlink.com -Original Message- From: Blake Hudson [mailto:bl...@ispn.net] Sent: Tuesday, February 25, 2014 8:58 AM To: nanog@nanog.org Subject: Re: Filter NTP traffic by packet size? I talked to one of our upstream IP transit providers and was able to negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP port within our aggregate policer. As mentioned, the legitimate traffic levels of these services are near 0. We gave each service many times the amount to satisfy subscribers, but not enough to overwhelm network links during an attack. --Blake Chris Laffin wrote the following on 2/23/2014 8:58 AM: Ive talked to some major peering exchanges and they refuse to take any action. Possibly if the requests come from many peering participants it will be taken more seriously? On Feb 22, 2014, at 19:23, Peter Phaal peter.ph...@gmail.com wrote: Brocade demonstrated how peering exchanges can selectively filter large NTP reflection flows using the sFlow monitoring and hybrid port OpenFlow capabilities of their MLXe switches at last week's Network Field Day event. http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_19 86.html On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin claf...@peer1.com wrote: Has anyone talked about policing ntp everywhere. Normal traffic levels are extremely low but the ddos traffic is very high. It would be really cool if peering exchanges could police ntp on their connected members. On Feb 22, 2014, at 8:05, Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/22/2014 7:06 AM, Nick Hilliard wrote: On 22/02/2014 09:07, Cb B wrote: Summary IETF response: The problem i described is already solved by bcp38, nothing to see here, carry on with UDP udp is here to stay. Denying this is no more useful than trying to push the tide back with a teaspoon. Yes, udp is here to stay, and I quote Randy Bush on this, I encourage my competitors to block udp. :-p - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMIynoACgkQKJasdVTchbJsqQD/ZVz5vYaIAEv/z2kbU6kEM+KS OQx2XcSkU7r02wNDytoBANVkgZQalF40vhQED+6KyKv7xL1VfxQg1W8T4drh+6/M =FTxg -END PGP SIGNATURE-
Verizon FIOS and DSL issues in North Texas Area
Hey list, Been seeing issues hitting youtube/wikipedia and other random websites from the north texas area when taking Verizon FIOS and DSL. Haven't been able to narrow it down to any traceroutes or pings as they all seem to be OK. Have reports from other Verizon customers seeing the same issues yesterday and today. Thanks Joseph
Re: Filter NTP traffic by packet size?
On 25/02/2014 17:22, Staudinger, Malcolm wrote: Why wouldn't you just block chargen entirely? While we're at it, why not just block everything except for tcp port 80 and dns? Isn't that the only legitimate traffic on the interweb these days? Nick
Re: Filter NTP traffic by packet size?
As an ISP in the USA, we try to follow the FCC's guidelines on a policy of non blocking. Not just because the FCC says so, but because we think it's in our and our customer's best interests. We don't dictate what our customer's can do with their internet connection as long as they're not breaking the law or negatively affecting the service for others. --Blake Staudinger, Malcolm wrote the following on 2/25/2014 11:22 AM: Why wouldn't you just block chargen entirely? Is it actually still being used these days for anything legitimate? Malcolm Staudinger Information Security Analyst | EIS EarthLink E: mstaudin...@corp.earthlink.com -Original Message- From: Blake Hudson [mailto:bl...@ispn.net] Sent: Tuesday, February 25, 2014 8:58 AM To: nanog@nanog.org Subject: Re: Filter NTP traffic by packet size? I talked to one of our upstream IP transit providers and was able to negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP port within our aggregate policer. As mentioned, the legitimate traffic levels of these services are near 0. We gave each service many times the amount to satisfy subscribers, but not enough to overwhelm network links during an attack. --Blake
Re: Filter NTP traffic by packet size?
On Tue, Feb 25, 2014 at 8:58 AM, Blake Hudson bl...@ispn.net wrote: I talked to one of our upstream IP transit providers and was able to negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP port within our aggregate policer. As mentioned, the legitimate traffic levels of these services are near 0. We gave each service many times the amount to satisfy subscribers, but not enough to overwhelm network links during an attack. --Blake Blake, What you have done is common and required to keep the network up at this time. It is perfectly appropriate to have a baseline and enforce some multiple of the baseline with a policer. People who say this is the wrong thing to do are not running a network of significant size, end of story. CB Chris Laffin wrote the following on 2/23/2014 8:58 AM: Ive talked to some major peering exchanges and they refuse to take any action. Possibly if the requests come from many peering participants it will be taken more seriously? On Feb 22, 2014, at 19:23, Peter Phaal peter.ph...@gmail.com wrote: Brocade demonstrated how peering exchanges can selectively filter large NTP reflection flows using the sFlow monitoring and hybrid port OpenFlow capabilities of their MLXe switches at last week's Network Field Day event. http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_1986.html On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin claf...@peer1.com wrote: Has anyone talked about policing ntp everywhere. Normal traffic levels are extremely low but the ddos traffic is very high. It would be really cool if peering exchanges could police ntp on their connected members. On Feb 22, 2014, at 8:05, Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/22/2014 7:06 AM, Nick Hilliard wrote: On 22/02/2014 09:07, Cb B wrote: Summary IETF response: The problem i described is already solved by bcp38, nothing to see here, carry on with UDP udp is here to stay. Denying this is no more useful than trying to push the tide back with a teaspoon. Yes, udp is here to stay, and I quote Randy Bush on this, I encourage my competitors to block udp. :-p - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMIynoACgkQKJasdVTchbJsqQD/ZVz5vYaIAEv/z2kbU6kEM+KS OQx2XcSkU7r02wNDytoBANVkgZQalF40vhQED+6KyKv7xL1VfxQg1W8T4drh+6/M =FTxg -END PGP SIGNATURE-