Filter NTP traffic by packet size?
mysidia at gmail.com
Thu Feb 27 04:03:43 UTC 2014
On Tue, Feb 25, 2014 at 11:22 AM, Staudinger, Malcolm <
mstaudinger at corp.earthlink.com> wrote:
> Why wouldn't you just block chargen entirely? Is it actually still being
> used these days for anything legitimate?
Long term blocking based on port number is sure to result in problems.
It's more appropriate to block chargen to a source shown to be subject to
Simply blocking port 19 globally could very well be interfering with other
use and disrupting connectivity for other applications not related to
that just so happen to use Port # 19 as an endpoint.
Thanks to the wonder that is SRV records, users MAY and, are technically
quite free to, and sometimes do locate critical services on arbitrary ---
alternative port numbers, such as perhaps port 19, using the DNS SRV
response; instead of having clients locate the port number by relying
upon a well-known port registration with IANA.
In this case, policing or discarding port 19 traffic to hosts that do not
use port 19 for chargen, is a connectivity disruption.
Among known hosts that agree to communicate on port #19 without
requiring a port registration,
port number 19 may be used for any purpose, not necessarily chargen
The same goes for port 123, 25, etc; both UDP and TCP.
Although the port is not in the traditional ephemeral range, nothing
precludes its use as
an ephmeral port for various application functions, either.
The "well known port" assignments are advisory or recommended, for use by
other unknown processes. the purpose of well known port
assignments is for service location; the port number is not a sequence of
application identification bits.
The QUIC protocol using port 80/udp, was a great example of a different
application using a well-known port address, besides
the one that would appear as the well-known port registration.
> Malcolm Staudinger
> Information Security Analyst | EIS
> E: mstaudinger at corp.earthlink.com
More information about the NANOG