On Thu, Feb 20, 2014 at 2:12 PM, Damian Menscher <dam...@google.com> wrote: > On Thu, Feb 20, 2014 at 1:03 PM, Jared Mauch <ja...@puck.nether.net> wrote: >> >> On Feb 20, 2014, at 3:51 PM, John Weekes <j...@nuclearfallout.net> wrote: >> > On 2/20/2014 12:41 PM, Edward Roels wrote: >> >> Curious if anyone else thinks filtering out NTP packets above a certain >> >> packet size is a good or terrible idea. >> >> >> >> From my brief testing it seems 90 bytes for IPv4 and 110 bytes for IPv6 >> are >> >> typical for a client to successfully synchronize to an NTP server. >> >> >> >> If I query a server for it's list of peers (ntpq -np <ip>) I've seen >> >> packets as large as 522 bytes in a single packet in response to a 54 >> byte >> >> query. I'll admit I'm not 100% clear of the what is happening >> >> protocol-wise when I perform this query. I see there are multiple >> packets >> >> back forth between me and the server depending on the number of peers it >> >> has? >> > >> > If your equipment supports this, and you're seeing reflected NTP >> attacks, then it is an effective stopgap to block nearly all of the inbound >> attack traffic to affected hosts. Some still comes through from NTP servers >> running on nonstandard ports, but not much. >> > > Also, don't forget to ask those sending the attack traffic to trace where > the spoofed packets ingressed their networks. > > > Standard IPv4 NTP response packets are 76 bytes (plus any link-level >> headers), based on my testing. I have been internally filtering packets of >> other sizes against attack targets for some time now with no ill-effect. >> >> You can filter packets that are 440 bytes in size and it will do a lot to >> help the problem, but make sure you conjoin these with protocol udp and >> port=123 rules to avoid collateral damage. >> > > Preferably just source-port 123. > > You may also want to look at filtering UDP/80 outright as well, as that is >> commonly used as an "I'm going to attack port 80" by attackers that don't >> quite understand the difference between UDP and TCP. >> > > Please don't filter UDP/80. It's used by QUIC ( > http://en.wikipedia.org/wiki/QUIC). > > Damian
The folks at QUIC have been advised to not use UDP for a new protocol, and they would be very well advised to not use UDP:80 since that is a well known target port used in the DDoS reflection attacks. As Jared noted, UDP:80 is a cesspool today. Attempting to use it for legit traffic is not smart. CB
