Filter NTP traffic by packet size?
Robert Drake
rdrake at direcpath.com
Thu Feb 27 05:42:16 UTC 2014
On 2/26/2014 11:03 PM, Jimmy Hess wrote:
>
> The "well known port" assignments are advisory or recommended, for use by
> other unknown processes. the purpose of well known port
> assignments is for service location; the port number is not a sequence of
> application identification bits.
>
>
> The QUIC protocol using port 80/udp, was a great example of a different
> application using a well-known port address, besides
> the one that would appear as the well-known port registration.
>
>
Sometimes bypassing IANA for port registration works in your favor,
sometimes it doesn't. Of course there should be a way to setup
connections that aren't listed in IANA, but using well-known low ports
isn't safe. It's biting us and we've got to counter it. UDP doesn't do
enough setup on a connection for you to really figure out if it's
chargen or some new traffic type. Even if you have the luxury of
putting a stateful firewall in a place and filtering based on what
traffic is there, the only valid choice for an ISP would be to say
"permit only the registered service chargen on port 19, oh, and block it
anyway because nobody should be using chargen."
Taking the high road about blocking services was an option 10 years
ago. The gear couldn't do it and most internet users were still
somewhat tech savvy. The landscape has changed. I can't convince my
cousin not to click on ransomware. I think my only viable option is to
filter residential customers for their own good, and if someone actually
wants/needs one of these ports opened then we can work with them.*
* ISPs have also reduced their abuse staffing by blocking port 25. It's
either that or just acknowledge that you won't be able to process all
your abuse emails because there are too many people spamming/too many
compromised machines. So in some ways it's a financial need for us to
block even more aggressively than big ISPs because we can't afford to
staff abuse for things that are automatically fixable.
More information about the NANOG
mailing list