On Tue, Feb 25, 2014 at 8:58 AM, Blake Hudson <bl...@ispn.net> wrote: > I talked to one of our upstream IP transit providers and was able to > negotiate individual policing levels on NTP, DNS, SNMP, and Chargen by UDP > port within our aggregate policer. As mentioned, the legitimate traffic > levels of these services are near 0. We gave each service many times the > amount to satisfy subscribers, but not enough to overwhelm network links > during an attack. > > --Blake >
Blake, What you have done is common and required to keep the network up at this time. It is perfectly appropriate to have a baseline and enforce some multiple of the baseline with a policer. People who say this is the wrong thing to do are not running a network of significant size, end of story. CB > Chris Laffin wrote the following on 2/23/2014 8:58 AM: > >> Ive talked to some major peering exchanges and they refuse to take any >> action. Possibly if the requests come from many peering participants it will >> be taken more seriously? >> >>> On Feb 22, 2014, at 19:23, "Peter Phaal" <peter.ph...@gmail.com> wrote: >>> >>> Brocade demonstrated how peering exchanges can selectively filter >>> large NTP reflection flows using the sFlow monitoring and hybrid port >>> OpenFlow capabilities of their MLXe switches at last week's Network >>> Field Day event. >>> >>> >>> http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_1986.html >>> >>>> On Sat, Feb 22, 2014 at 4:43 PM, Chris Laffin <claf...@peer1.com> wrote: >>>> Has anyone talked about policing ntp everywhere. Normal traffic levels >>>> are extremely low but the ddos traffic is very high. It would be really >>>> cool >>>> if peering exchanges could police ntp on their connected members. >>>> >>>>> On Feb 22, 2014, at 8:05, "Paul Ferguson" <fergdawgs...@mykolab.com> >>>>> wrote: >>>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA256 >>>>> >>>>>>> On 2/22/2014 7:06 AM, Nick Hilliard wrote: >>>>>>> >>>>>>> On 22/02/2014 09:07, Cb B wrote: >>>>>>> Summary IETF response: The problem i described is already solved >>>>>>> by bcp38, nothing to see here, carry on with UDP >>>>>> >>>>>> udp is here to stay. Denying this is no more useful than trying to >>>>>> push the tide back with a teaspoon. >>>>> >>>>> Yes, udp is here to stay, and I quote Randy Bush on this, "I encourage >>>>> my competitors to block udp." :-p >>>>> >>>>> - - ferg >>>>> >>>>> >>>>> - -- >>>>> Paul Ferguson >>>>> VP Threat Intelligence, IID >>>>> PGP Public Key ID: 0x54DC85B2 >>>>> >>>>> -----BEGIN PGP SIGNATURE----- >>>>> Version: GnuPG v2.0.22 (MingW32) >>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>>>> >>>>> iF4EAREIAAYFAlMIynoACgkQKJasdVTchbJsqQD/ZVz5vYaIAEv/z2kbU6kEM+KS >>>>> OQx2XcSkU7r02wNDytoBANVkgZQalF40vhQED+6KyKv7xL1VfxQg1W8T4drh+6/M >>>>> =FTxg >>>>> -----END PGP SIGNATURE----- > > >
