Filter NTP traffic by packet size?

Robert Drake rdrake at
Thu Feb 27 05:42:16 UTC 2014

On 2/26/2014 11:03 PM, Jimmy Hess wrote:
> The "well known port" assignments are advisory or recommended,  for use by
> other unknown processes.  the purpose of well known port
> assignments is for service location;  the port number is not a sequence of
> application identification bits.
> The QUIC protocol using port 80/udp, was a great example of a different
> application using a well-known port address, besides
> the one that would appear as the well-known port registration.
Sometimes bypassing IANA for port registration works in your favor, 
sometimes it doesn't.  Of course there should be a way to setup 
connections that aren't listed in IANA, but using well-known low ports 
isn't safe.  It's biting us and we've got to counter it.  UDP doesn't do 
enough setup on a connection for you to really figure out if it's 
chargen or some new traffic type.  Even if you have the luxury of 
putting a stateful firewall in a place and filtering based on what 
traffic is there, the only valid choice for an ISP would be to say 
"permit only the registered service chargen on port 19, oh, and block it 
anyway because nobody should be using chargen."

Taking the high road about blocking services was an option 10 years 
ago.  The gear couldn't do it and most internet users were still 
somewhat tech savvy.  The landscape has changed.  I can't convince my 
cousin not to click on ransomware.  I think my only viable option is to 
filter residential customers for their own good, and if someone actually 
wants/needs one of these ports opened then we can work with them.*

* ISPs have also reduced their abuse staffing by blocking port 25. It's 
either that or just acknowledge that you won't be able to process all 
your abuse emails because there are too many people spamming/too many 
compromised machines.  So in some ways it's a financial need for us to 
block even more aggressively than big ISPs because we can't afford to 
staff abuse for things that are automatically fixable.

More information about the NANOG mailing list