On 27 Mar 2020, at 18:54, Saku Ytti <saku@ytti.fi> wrote:
On Fri, 27 Mar 2020 at 19:48, Ragnar Sundblad <ragge@kth.se> wrote:
Is this really what the ISP community wants - to kill off port 123, and force NTP to move to random ports?
Make NST attenuation vector, so that reply is guaranteed to be significantly smaller than request, and by standard drop small requests.
The NTP replies on port 123 are of the same size as the request, or smaller on error. If filtering on request/reply (or “mode” in NTP lingo), you could filter out the control packets which have the amplification problems in very old configurations. You could allow request and reply, mode 3 and 4, but disallow control packets, mode 6. This kind of filtering may not be possible in all equipment though. Another option is to rate limit the traffic, even though that is not entirely without problems either - public servers are supposed to get a lot more traffic than a typical client generates. I know that ISP:s have been hunting down machine with other services that could be used for e.g. amplification or spam, like SMTP relays, DNS resolvers, HTTP proxies, and similar. This would be fully possible also with these bad NTP configurations that have not been updated in many many years. I think only the ISP:s are in a position to both find out who they are, and to force them to be fixed. Ragnar