On Wed, Mar 18, 2020 at 8:46 AM Steven Sommars <stevesommarsntp@gmail.com> wrote:
The various NTP filters (rate limits, packet size limits) are negatively affecting the NTP Pool, the new secure NTP protocol (Network Time Security) and other clients.  NTP filters were deployed several years ago to solve serious DDoS issues, I'm not second guessing those decisions.  Changing the filters to instead block NTP mode 7, which cover monlist and other diagnostics, would improve NTP usability.

http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf  

Yeh, not changing ipv4 filters, Sorry pool. Burned once, twice shy. 

There is no simple way to do router filters based on ntp app modes.  

I suggest people be aware of time.google.com 

And  time.cloudflare.com 

CB


On Tue, Mar 17, 2020 at 11:17 AM Mark Tinka <mark.tinka@seacom.mu> wrote:


On 17/Mar/20 18:05, Ca By wrote:




+1 , still see, still have policers

Fyi, ipv6 ntp / udp tends to have a much higher success rate getting through cgn / policers / ...

For those that have come in as attacks toward customers, we've "scrubbed" them where there has been interest.

Mark.