Re: TWC (AS11351) blocking all NTP?
It seems thata hosts sending large amounts of NTP traffic over the public Internet can be safely filtered if you don't already know that it's one of the handful that's in the ntp.org pools or another well known NTP master.
Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy to be described as a "handful," something my mother used to say, but I do feel obligated to point out that it's a pretty big handful especially if you want to be fiddling ACLs on an hourly basis which is pretty much what it takes. And, of course, if you're one of that handful, then you've pretty much got to allow that NTP traffic in, although you're also probably, hopefully, clue-full enough not to let random hosts make you a DDoS accelerator. (the other) jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms@Opus1.COM http://www.opus1.com/jms
It seems thata hosts sending large amounts of NTP traffic over the public Internet can be safely filtered if you don't already know that it's one of the handful that's in the ntp.org pools or another well known NTP master.
Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy to be described as a "handful," something my mother used to say, but I do feel obligated to point out that it's a pretty big handful especially if you want to be fiddling ACLs on an hourly basis which is pretty much what it takes.
I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On Feb 3, 2014, at 3:29 PM, John R. Levine <johnl@iecc.com> wrote:
It seems thata hosts sending large amounts of NTP traffic over the public Internet can be safely filtered if you don't already know that it's one of the handful that's in the ntp.org pools or another well known NTP master.
Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy to be described as a "handful," something my mother used to say, but I do feel obligated to point out that it's a pretty big handful especially if you want to be fiddling ACLs on an hourly basis which is pretty much what it takes.
I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic.
www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic should their clock be available and accurate. - Jared
I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic.
www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic should their clock be available and accurate.
I believe you, but I don't believe that the set of ntp.org servers changes so rapidly that it is beyond the ability of network operators to handle the ones on their own networks as a special case. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic.
www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic should their clock be available and accurate.
I believe you, but I don't believe that the set of ntp.org servers changes so rapidly that it is beyond the ability of network operators to handle the ones on their own networks as a special case.
There's a bootstrap issue here. I'm guessing that you may be picturing a scenario where a network operator simply queries to obtain the list of ntp.org servers and special-cases their own. However, I believe that the system won't add NTP servers that appear to be nonresponsive to the list (bootstrap paradox), and in any case the list of returned servers is quite large and a response basically picks a few random servers, so it is quite difficult to know what servers are on your network in an automated fashion. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Mon, 03 Feb 2014 11:29:21 -0600, Joe Greco said:
There's a bootstrap issue here. I'm guessing that you may be picturing a scenario where a network operator simply queries to obtain the list of ntp.org servers and special-cases their own. However, I believe that the system won't add NTP servers that appear to be nonresponsive to the list (bootstrap paradox), and in any case the list of returned servers is quite large and a response basically picks a few random servers, so it is quite difficult to know what servers are on your network in an automated fashion.
And even harder to identify stuff that's downstream at one of your customer's sites.
On 02/03/2014 12:50 PM, John R. Levine wrote:
I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic.
www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic should their clock be available and accurate.
I believe you, but I don't believe that the set of ntp.org servers changes so rapidly that it is beyond the ability of network operators to handle the ones on their own networks as a special case.
The list is large enough, and changes often enough, that filtering on it isn't likely to be successful. Also, the list of what are "your" servers can change without warning. Doug
On Mon, Feb 03, 2014 at 03:50:03PM -0500, John R. Levine wrote:
I believe you, but I don't believe that the set of ntp.org servers changes so rapidly that it is beyond the ability of network operators to handle the ones on their own networks as a special case.
I think you'd be surprised. I have to say I've been shocked at how little most network operators appear to understand about how NTP actually works, and how little thought is going into the consequences of suggested filtering techniques. Has anyone considered the implications of a world where your customers cannot correlate timestamps on abuse reports because you decided you knew better than they did how, and which sources of time they would be allowed to use? NTP works best with a diverse set of peers. You know, outside your little bubble, or walled garden, or whatever people in this thread appear to be trying to build. I'm not sure what to call it, but it's definitely not the Internet. --msa
On 02/03/2014 05:10 PM, Majdi S. Abbas wrote:
NTP works best with a diverse set of peers. You know, outside your little bubble, or walled garden, or whatever people in this thread appear to be trying to build. I'm not sure what to call it, but it's definitely not the Internet.
"The Internet" is increasingly becoming something we want someone else to implement so that we can exploit it. Doug
On the contrary, I encourage all competitors to block protocols indiscriminately, especially ipv4 UDP. Nothing bad could ever come of that! -Blake On Tue, Feb 4, 2014 at 12:29 AM, Doug Barton <dougb@dougbarton.us> wrote:
On 02/03/2014 05:10 PM, Majdi S. Abbas wrote:
NTP works best with a diverse set of peers. You know, outside your little bubble, or walled garden, or whatever people in this thread appear to be trying to build. I'm not sure what to call it, but it's definitely not the Internet.
"The Internet" is increasingly becoming something we want someone else to implement so that we can exploit it.
Doug
participants (8)
-
Blake Dunlap
-
Doug Barton
-
Jared Mauch
-
Joe Greco
-
Joel M Snyder
-
John R. Levine
-
Majdi S. Abbas
-
Valdis.Kletnieks@vt.edu