On Wed, Mar 18, 2020 at 8:45 AM Steven Sommars <stevesommars...@gmail.com> wrote:
> The various NTP filters (rate limits, packet size limits) are negatively > affecting the NTP Pool, the new secure NTP protocol (Network Time Security) > and other clients. NTP filters were deployed several years ago to solve > serious DDoS issues, I'm not second guessing those decisions. Changing the > filters to instead block NTP mode 7, which cover monlist and other > diagnostics, would improve NTP usability. > > http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf > > I've advocated a throttle (not a hard block) on udp/123 packets with 468 Bytes/packet (the size of a full monlist response). In your paper you mention NTS extensions can be 200+ bytes. How large do those packets typically get, in practice? And how significant is packet loss for them (if there's high packet loss during the occasional attack, does that pose a problem)? Damian
