[Outages-discussion] NTT - High Latency between Dallas and LA exchanges

Fabian Wenk fabian at wenks.ch
Fri May 19 13:03:38 EDT 2023 

Hello

All this global/local filtering / rate-limiting of UDP would not be 
needed, if carriers and ISPs would do proper BCP and prevent their own 
networks from sending out spoofed UDP (and also TCP / IP) packets in 
general.

I am running a few NTP servers for the NTP Pool project. I guess you all 
are aware that NTP is using UDP/123. :)
I have one IP address, from one ISP, which for many years got very often 
a bad ranking. And this just because one of the upstream (or in-between) 
carriers (on my end or the Pools monitoring end) thinks that the 
monitoring requests to my NTP server or my answer needs to be blocked. 
The Pool now heavily improved their monitoring to run from multiple 
location just to avoid this and so not losing servers from the Pool.
As an operator from public NTP servers, I do have measures in place for 
limiting answers of possible abusive and spoofed request from the same 
IP address to reduce the impact of being part of amplification attack. 
My servers have more inbound then outbound packets for NTP, in a perfect 
world they should be equal.


Best regards,
Fabian


On 18.05.2023 21:09, Ross Tajvar via Outages-discussion wrote:
> It makes sense to heavily rate-limit certain UDP traffic that "should" not
> be much on the DFZ and is commonly used in amplification attacks (things
> like SSDP, LDAP, memcached, etc.). NTT does this on all customer ports.
> Rate-limiting ALL UDP in 2023 is a very bad idea.
> 
> On Thu, May 18, 2023 at 10:00 AM John Kristoff via Outages-discussion <
> outages-discussion at outages.org> wrote:
> 
>> On Thu, 18 May 2023 13:04:20 +0000
>> Joseph Jackson via Outages-discussion <outages-discussion at outages.org>
>> wrote:
>>
>> > As a voip provider whose traffic is almost all UDP and a lot of it I
>> > had no idea this was something that people, much less ISPs thought.
>> > I have never come across the idea that UDP traffic through routers at
>> > least in my experience was being rate limited.
>>
>> I don't know how widespread it is, but this was precisely something I
>> had done many years ago before QUIC.  Slammer was what stimulated me to
>> implement "edge" rate limits on UDP traffic towards external
>> destinations at an edu.  So for example, ingress to the network
>> traffic from an end user subnet I set a max of 10 Mb/s for UDP traffic
>> not destined to internal prefixes.
>>
>> I left the organization and came back years later. When there were
>> complaints of some random real-time game performance I discovered
>> someone had later put an aggregate limit of about 100 to 200 Mb/s for
>> UDP at peering routers, and with the rise of the QUIC, that limit was
>> now being reached by the total sum of UDP traffic from all internal
>> subnets. I preceded to get rid of the hard coded UDP limits with this
>> new reality.  It seemed like a reasonable thing to do at the time, but
>> not so much now.  Like manually configured bogon filters I would assume
>> there may be similar cases lurking out there.
>>
>> John
>> _______________________________________________
>> Outages-discussion mailing list
>> Outages-discussion at outages.org
>> https://puck.nether.net/mailman/listinfo/outages-discussion
>>
> 
> 
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion

More information about the Outages-discussion mailing list