[c-nsp] Shapping NTP traffic on 6500/7600

Dobbins, Roland rdobbins at arbor.net
Thu Feb 27 15:03:45 EST 2014


On Feb 28, 2014, at 2:51 AM, Randy <amps at djlab.com> wrote:

> If the primary DDOS payload is non-initial fragments (which I suspect may be the case) it will bypass your ACL unless you match fragments, which may impact other traffic.

Actually, with ntp, it isn't - ntp handles message segmentation on its own at layer-7, generating multiple packets for long replies.

Unlike DNS, SNMP, chargen, and other UDP reflection/amplification attacks, we don't see non-initial fragments with ntp reflection/amplification attacks.

But it's a good point to keep in mind when dealing with those other attack techniques.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list