Yes - I was looking into it and that was the approach that I was going to try taking. The catch is, we only want this applied on a per IP basis, not to all traffic using UDP 123, or again, with over 40K devices, that threshold would be overrun very quickly. It would be better if PAN could define a new brute-force vulnerability for NTP so that it could be setup with a configurable threshold, and then an action be picked as a result. Until that happens though (or if it happens at all) the DoS method may be the only thing I have to use against it.
... View more