[c-nsp] NTP DDoS
Dobbins, Roland
rdobbins at arbor.net
Tue Feb 11 19:19:27 EST 2014
On Feb 12, 2014, at 6:46 AM, omar parihuana <omar.parihuana at gmail.com> wrote:
> I've just put an ACL in order to block NTP outbound traffic.
You should look at the ntp sources, find out which allow monlist, et. al. (see <http://www.openntpproject.org/>), then work to remediate those specific ntpds. Blocking ntp traffic wholesale is something which might make sense in an emergency as you describe, for a brief time, but which shouldn't be done any longer than is absolutely necessary.
btw, you don't need NBAR to detect/classify this traffic - regular NetFlow will do. NBAR eats up a lot more resources on your box.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list