nanog mailing list archives
Re: Filter NTP traffic by packet size?
From: Robert Drake <rdrake () direcpath com>
Date: Thu, 27 Feb 2014 00:42:16 -0500
On 2/26/2014 11:03 PM, Jimmy Hess wrote:
Sometimes bypassing IANA for port registration works in your favor, sometimes it doesn't. Of course there should be a way to setup connections that aren't listed in IANA, but using well-known low ports isn't safe. It's biting us and we've got to counter it. UDP doesn't do enough setup on a connection for you to really figure out if it's chargen or some new traffic type. Even if you have the luxury of putting a stateful firewall in a place and filtering based on what traffic is there, the only valid choice for an ISP would be to say "permit only the registered service chargen on port 19, oh, and block it anyway because nobody should be using chargen."The "well known port" assignments are advisory or recommended, for use by other unknown processes. the purpose of well known port assignments is for service location; the port number is not a sequence of application identification bits. The QUIC protocol using port 80/udp, was a great example of a different application using a well-known port address, besides the one that would appear as the well-known port registration.
Taking the high road about blocking services was an option 10 years ago. The gear couldn't do it and most internet users were still somewhat tech savvy. The landscape has changed. I can't convince my cousin not to click on ransomware. I think my only viable option is to filter residential customers for their own good, and if someone actually wants/needs one of these ports opened then we can work with them.*
* ISPs have also reduced their abuse staffing by blocking port 25. It's either that or just acknowledge that you won't be able to process all your abuse emails because there are too many people spamming/too many compromised machines. So in some ways it's a financial need for us to block even more aggressively than big ISPs because we can't afford to staff abuse for things that are automatically fixable.
Current thread:
- Re: Filter NTP traffic by packet size?, (continued)
- Re: Filter NTP traffic by packet size? Jared Mauch (Feb 26)
- Re: Filter NTP traffic by packet size? Randy Bush (Feb 26)
- Re: Filter NTP traffic by packet size? Frank Habicht (Feb 26)
- Re: Filter NTP traffic by packet size? Jimmy Hess (Feb 26)
- Re: Filter NTP traffic by packet size? Niels Bakker (Feb 28)
- Re: Filter NTP traffic by packet size? Randy Bush (Feb 28)
- Re: Filter NTP traffic by packet size? Niels Bakker (Feb 28)
- Re: Filter NTP traffic by packet size? Robert Drake (Feb 26)
- Re: Filter NTP traffic by packet size? Keegan Holley (Feb 27)
- Re: Filter NTP traffic by packet size? Jimmy Hess (Feb 26)
- Re: Filter NTP traffic by packet size? Robert Drake (Feb 26)
- Re: Filter NTP traffic by packet size? Cb B (Feb 25)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter on IXP Jay Ashworth (Feb 28)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter on IXP Randy Bush (Feb 28)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter on IXP Nick Hilliard (Feb 28)
- Re: Filter on IXP Patrick W. Gilmore (Feb 28)
- Re: Filter on IXP Jérôme Nicolle (Feb 28)
- Re: Filter NTP traffic by packet size? Saku Ytti (Feb 22)