[c-nsp] Shapping NTP traffic on 6500/7600

Thomas St-Pierre tstpierre at iweb.com
Wed Feb 26 18:41:45 EST 2014


We’ve been seeing a bunch NTP based DDOS’s recently, and are looking for ways to mitigate the harm they’re causing. One option I’m looking at is to police the ntp traffic at our edge interfaces.

Currently we see on average something like 15-20mb of NTP traffic in our AS. I was thinking of policing it to like 50mb at each of our edge/peer interfaces. Normal traffic shouldn’t be affected, and will help avoid saturating our internal links. Unfortunately my QOS is a bit rusty, so I’m hopping to bounce this off others. :)

Here’s the config snippet I’m thinking of using:

ip access-list extended NTP
 permit udp any eq ntp any
 permit udp any any eq ntp

class-map match-all NTP
  match access-group name NTP

policy-map ANTI-DDOS-NTP
  class NTP
   police 50000000    conform-action transmit     exceed-action drop     violate-action drop

Interface TenGigabitEthernetX/X
 service-policy input ANTI-DDOS-NTP


What I’m most worried of is, are there any hardware limitations we might hit/I should be aware of? We also have a small ACL on the interfaces already (blocking invalid stuff, such as packets with internal ip’s, etc)

I have two platforms I’d need to deploy it on:

6500 with SUP720-3BXL supervisor and X6704-10GE line cards
7600 with RSP720-3CXL-10GE supervisor and X6708-10GE line cards

Any advice would be appreciated :D


More information about the cisco-nsp mailing list