In the interests of not causing anyone problems, my NTP server has firewall rules which look for ICMP type 3 (unreachable) packets, and add any IP address which sends such a packet to my timeserver to a temporary blacklist for five minutes. Any NTP packets originating from a host on that list are dropped with no reply.
My assumption is that any host sending an ICMP type 3 to my timeserver is probably the victim of a reflection attack (i.e. the request packets are most likely forged), and doesn’t want to be receiving NTP responses from me. Currently, traffic with such a blacklisted source IP accounts for about 6.5% of all inbound NTP traffic to my server.
It’s occurred to me, however, that with the current prevalence of NAT, my assumption may no longer be true, and that even though an IP originates such an ICMP packets, there may be other hosts behind that IP which do want to use my timeserver, even though there is clearly something there which does not.
Noting this, is maintaining this firewall rule a good idea, or should I remove it, and send responses even though they may be undesired?