Filter NTP traffic by packet size?

Jimmy Hess mysidia at gmail.com
Thu Feb 27 04:03:43 UTC 2014


On Tue, Feb 25, 2014 at 11:22 AM, Staudinger, Malcolm <
mstaudinger at corp.earthlink.com> wrote:

> Why wouldn't you just block chargen entirely? Is it actually still being
> used these days for anything legitimate?
>

Long term blocking based on port number is sure to result in problems.
It's more appropriate  to block chargen to a source shown to be subject to
abuse.

Simply blocking port 19 globally could very well be interfering with other
use  and disrupting connectivity for other applications  not related to
chargen,
that just so happen to use  Port # 19  as an endpoint.

Thanks to the wonder that is SRV records,  users MAY and, are technically
quite free to, and sometimes do locate critical services on arbitrary  ---
 alternative port numbers,   such as perhaps port 19,   using the DNS SRV
response; instead of  having clients  locate the port number  by  relying
upon  a  well-known port registration with IANA.


In this case, policing or discarding port 19 traffic  to hosts that do not
use port 19 for chargen,  is a connectivity disruption.




Among known hosts that agree to communicate on port #19    without
requiring a port registration,
port number 19  may be used for any purpose,  not necessarily chargen
related.

The same goes for port 123, 25,  etc;  both UDP and TCP.


Although the port is not in the traditional ephemeral range,  nothing
precludes its use as
an ephmeral port for various application  functions, either.

The "well known port" assignments are advisory or recommended,  for use by
other unknown processes.  the purpose of well known port
assignments is for service location;  the port number is not a sequence of
application identification bits.


The QUIC protocol using port 80/udp, was a great example of a different
application using a well-known port address, besides
the one that would appear as the well-known port registration.




> Malcolm Staudinger
> Information Security Analyst | EIS
> EarthLink
>
> E: mstaudinger at corp.earthlink.com
>
--
-JH


More information about the NANOG mailing list