On Wed, Mar 18, 2020 at 8:46 AM Steven Sommars <stevesommars...@gmail.com> wrote:
> The various NTP filters (rate limits, packet size limits) are negatively > affecting the NTP Pool, the new secure NTP protocol (Network Time Security) > and other clients. NTP filters were deployed several years ago to solve > serious DDoS issues, I'm not second guessing those decisions. Changing the > filters to instead block NTP mode 7, which cover monlist and other > diagnostics, would improve NTP usability. > > http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf > > Yeh, not changing ipv4 filters, Sorry pool. Burned once, twice shy. There is no simple way to do router filters based on ntp app modes. I suggest people be aware of time.google.com And time.cloudflare.com CB > On Tue, Mar 17, 2020 at 11:17 AM Mark Tinka <mark.ti...@seacom.mu> wrote: > >> >> >> On 17/Mar/20 18:05, Ca By wrote: >> >> >> >> >> +1 , still see, still have policers >> >> Fyi, ipv6 ntp / udp tends to have a much higher success rate getting >> through cgn / policers / ... >> >> >> For those that have come in as attacks toward customers, we've "scrubbed" >> them where there has been interest. >> >> Mark. >> >
