[c-nsp] NTP DDoS

Dobbins, Roland rdobbins at arbor.net
Tue Feb 11 19:19:27 EST 2014

On Feb 12, 2014, at 6:46 AM, omar parihuana <omar.parihuana at gmail.com> wrote:

> I've just put an ACL in order to block NTP outbound traffic.

You should look at the ntp sources, find out which allow monlist, et. al. (see <http://www.openntpproject.org/>), then work to remediate those specific ntpds.  Blocking ntp traffic wholesale is something which might make sense in an emergency as you describe, for a  brief time, but which shouldn't be done any longer than is absolutely necessary.

btw, you don't need NBAR to detect/classify this traffic - regular NetFlow will do.  NBAR eats up a lot more resources on your box.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the cisco-nsp mailing list