On Feb 13, 2014, at 1:47 PM, John <jschiel@flowtools.net> wrote:
On 02/13/2014 10:06 AM, Cb B wrote:
Good write up, includes name and shame for AT&T Wireless, IIJ, OVH, DTAG and others
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplificat...
Standard plug for http://openntpproject.org/ and http://openresolverproject.org/ and bcp38 , please fix/help.
For those of you paying attention to the outage list, this is a pretty big deal that has had daily ramification for some very big networks https://puck.nether.net/pipermail/outages/2014-February/date.html
In general, i think UDP is doomed to be blocked and rate limited -- tragedy of the commons. But, it would be nice if folks would just fix the root of the issue so the rest of us don't have go there...
UDP won't be blocked. There are some vendors that have their own hidden protocol inside UDP packets to control and communicate with their devices.
Thinking on it again, maybe blocking UDP isn't all that bad. Would force the vendors to not 'hide' their protocol.
Be careful what you wish for. I know some people have just blocked all NTP to keep their servers from participating in attacks. This is common in places where they hand off a VM/host to a customer and no longer have access despite it being in their environment. I would actually like to ask for those folks to un-block NTP so there is proper data on the number of hosts for those researching this. The right thing to do is reconfigure them. I've seen a good trend line in NTP servers being fixed, and hope we will see more of that in the next few weeks. I've seen maybe 100-200 per-ASN reports handed out to network operators. If you want yours, please e-mail ntp-scan@puck.nether.net to obtain it. Put your ASN in the subject line and/or body. - Jared (and others like Patrick that presented on the projects behalf).