UDP/123 policers & status

Jared_Mauch · March 17, 2020, 2:53pm

I’m curious what people are seeing these days on the UDP/123 policers in their networks.

I know while I was at NTT we rolled some out, and there are a number of variants that have occurred over the past 6-7 years. I’ve heard from people at the NTP Pool as well as having observed some issues with NTP at Akamai and time sync from time to time.

Are you still seeing a lot of NTP attacks in your flows these days?

Should we be looking to remove these, similar to how we did for SQL/Slammer after a time?

- Jared

Mark_Tinka1 · March 17, 2020, 3:13pm

FWIW, we've never policed udp/123 on our end. We haven't seen anything
untoward.

Mark.

rcompton · March 17, 2020, 4:01pm

Yes, we still see lots of UDP amplification attacks using NTP monlist. We use a filter to block UDP src 123 packets of 468 bytes in length (monlist reply with the max 6 IPs).

-Rich

Ca_By · March 17, 2020, 4:05pm

Yes, we still see lots of UDP amplification attacks using NTP monlist. We use a filter to block UDP src 123 packets of 468 bytes in length (monlist reply with the max 6 IPs).

-Rich

+1 , still see, still have policers

Fyi, ipv6 ntp / udp tends to have a much higher success rate getting through cgn / policers / …

Mark_Tinka1 · March 17, 2020, 4:14pm

For those that have come in as attacks toward customers, we’ve “scrubbed” them where there has been interest. Mark.

Steven_Sommars · March 17, 2020, 10:12pm

The various NTP filters (rate limits, packet size limits) are negatively affecting the NTP Pool, the new secure NTP protocol (Network Time Security) and other clients. NTP filters were deployed several years ago to solve serious DDoS issues, I’m not second guessing those decisions. Changing the filters to instead block NTP mode 7, which cover monlist and other diagnostics, would improve NTP usability.

http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf

Ca_By · March 18, 2020, 3:57pm

The various NTP filters (rate limits, packet size limits) are negatively affecting the NTP Pool, the new secure NTP protocol (Network Time Security) and other clients. NTP filters were deployed several years ago to solve serious DDoS issues, I’m not second guessing those decisions. Changing the filters to instead block NTP mode 7, which cover monlist and other diagnostics, would improve NTP usability.

http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf

Yeh, not changing ipv4 filters, Sorry pool. Burned once, twice shy.

There is no simple way to do router filters based on ntp app modes.

I suggest people be aware of time.google.com

And time.cloudflare.com

CB

Saku_Ytti1 · March 18, 2020, 4:10pm

On many edge routers from Juniper, Nokia and Cisco you can create
offset based bit-matches. I'm NTP illiterate, but isn't NTP mode in
fixed offset after UDP header? So it should be possible to do this in
hardware at linerate just the same as matching UDP port on typical
edge router.

Damian_Menscher · March 18, 2020, 11:46pm

I’ve advocated a throttle (not a hard block) on udp/123 packets with 468 Bytes/packet (the size of a full monlist response). In your paper you mention NTS extensions can be 200+ bytes. How large do those packets typically get, in practice? And how significant is packet loss for them (if there’s high packet loss during the occasional attack, does that pose a problem)?

Damian

stenn · March 19, 2020, 2:04am

    The various NTP filters (rate limits, packet size limits) are
    negatively affecting the NTP Pool, the new secure NTP protocol
    (Network Time Security) and other clients. NTP filters were
    deployed several years ago to solve serious DDoS issues, I'm not
    second guessing those decisions. Changing the filters to instead
    block NTP mode 7, which cover monlist and other diagnostics, would
    improve NTP usability.

    http://www.leapsecond.com/ntp/NTP_Suitability_PTTI2020_Revised_Sommars.pdf

I've advocated a throttle (not a hard block) on udp/123 packets with 468
Bytes/packet (the size of a full monlist response). In your paper you
mention NTS extensions can be 200+ bytes. How large do those packets
typically get, in practice? And how significant is packet loss for them
(if there's high packet loss during the occasional attack, does that
pose a problem)?

I expect to see NTP UDP packets that would approach the MTU limit, in
some cases.

If a packet is "too big" for some pathway, then are we talking about a
fractional packet loss or are we talking about 100% packet loss (dropped
mid-way due to size)?

Steven_Sommars · March 19, 2020, 2:43am

NTS is initialized using a relatively expensive, but short lived, TCP TLS session. NTP loss due to rate limiting will require more frequent TCP initializations.

The NTP size-blocks I’ve observed have been hard, not rate limits. Martin Langer provided a table showing sizes between 228 and 1468 bytes depending on the encryption algorithm and number of cookies. I’ve asked the NTS authors about potential workarounds, but suspect it would be difficult. The authors have also confirmed that size blocks have been detected during NTS tests.

The secure time transfer of NTS was designed to avoid amplification attacks. Impairment of UDP port 123 could require use of alternate UDP port(s), which might be unpopular.

Damian_Menscher · March 19, 2020, 4:37am

I implement it as a throttle… but that effectively means “0% packet loss most of the time, and significant packet loss when there’s a large attack”. Doing it as a complete block (which Sommars showed some networks do) is unnecessary.

So my question is whether occasional bursts of hard-block are a problem. If you only need large packets during the initialization phase, but the ongoing communication is done with smaller packets, then my approach may be acceptable, and we just need to convince other network operators to throttle rather than hard-block the large packets. But if you need large packets all the time, and occasional breakage of large packets causes problems, then I’ll need to re-think my approach.

Damian