[c-nsp] Shapping NTP traffic on 6500/7600
Dobbins, Roland
rdobbins at arbor.net
Thu Feb 27 15:03:45 EST 2014
On Feb 28, 2014, at 2:51 AM, Randy <amps at djlab.com> wrote:
> If the primary DDOS payload is non-initial fragments (which I suspect may be the case) it will bypass your ACL unless you match fragments, which may impact other traffic.
Actually, with ntp, it isn't - ntp handles message segmentation on its own at layer-7, generating multiple packets for long replies.
Unlike DNS, SNMP, chargen, and other UDP reflection/amplification attacks, we don't see non-initial fragments with ntp reflection/amplification attacks.
But it's a good point to keep in mind when dealing with those other attack techniques.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list