The various NTP filters (rate limits, packet size limits) are negatively affecting the NTP Pool, the new secure NTP protocol (Network Time Security) and other clients. NTP filters were deployed several years ago to solve serious DDoS issues, I'm not second guessing those decisions. Changing the filters to instead block NTP mode 7, which cover monlist and other diagnostics, would improve NTP usability.
Yeh, not changing ipv4 filters, Sorry pool. Burned once, twice shy.
There is no simple way to do router filters based on ntp app modes.
CB
On 17/Mar/20 18:05, Ca By wrote:
+1 , still see, still have policers
Fyi, ipv6 ntp / udp tends to have a much
higher success rate getting through cgn / policers / ...
For those that have come in as attacks toward customers, we've
"scrubbed" them where there has been interest.
Mark.