I talked to one of our upstream IP transit providers and was able to negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP port within our aggregate policer. As mentioned, the legitimate traffic levels of these services are near 0. We gave each service many times the amount to satisfy subscribers, but not enough to overwhelm network links during an attack.


Chris Laffin wrote the following on 2/23/2014 8:58 AM:
Ive talked to some major peering exchanges and they refuse to take any action. 
Possibly if the requests come from many peering participants it will be taken 
more seriously?

On Feb 22, 2014, at 19:23, "Peter Phaal" <peter.ph...@gmail.com> wrote:

Brocade demonstrated how peering exchanges can selectively filter
large NTP reflection flows using the sFlow monitoring and hybrid port
OpenFlow capabilities of their MLXe switches at last week's Network
Field Day event.


On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin <claf...@peer1.com> wrote:
Has anyone talked about policing ntp everywhere. Normal traffic levels are 
extremely low but the ddos traffic is very high. It would be really cool if 
peering exchanges could police ntp on their connected members.

On Feb 22, 2014, at 8:05, "Paul Ferguson" <fergdawgs...@mykolab.com> wrote:

Hash: SHA256

On 2/22/2014 7:06 AM, Nick Hilliard wrote:

On 22/02/2014 09:07, Cb B wrote:
Summary IETF response:  The problem i described is already solved
by bcp38, nothing to see here, carry on with UDP
udp is here to stay.  Denying this is no more useful than trying to
push the tide back with a teaspoon.
Yes, udp is here to stay, and I quote Randy Bush on this, "I encourage
my competitors to block udp."  :-p

- - ferg

- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


Reply via email to