IETF Logo Mail Archive

Blocking packets from suspicious ports

Christian Huitema <huitema@huitema.net> Mon, 02 May 2022 20:29 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66E1EC14F738 for <quic@ietfa.amsl.com>; Mon, 2 May 2022 13:29:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.885
X-Spam-Level:
X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmvC0-tPi9OJ for <quic@ietfa.amsl.com>; Mon, 2 May 2022 13:29:42 -0700 (PDT)
Received: from mx36-out20.antispamcloud.com (mx36-out20.antispamcloud.com [209.126.121.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6F96C14F734 for <quic@ietf.org>; Mon, 2 May 2022 13:29:42 -0700 (PDT)
Received: from xse290.mail2web.com ([66.113.197.36] helo=xse.mail2web.com) by mx256.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nlcfm-0004ne-Ml for quic@ietf.org; Mon, 02 May 2022 22:29:37 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4KsZSm4QWCzB76 for <quic@ietf.org>; Mon, 2 May 2022 13:29:28 -0700 (PDT)
Received: from [10.5.2.12] (helo=xmail02.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nlcfg-0007Vw-Fm for quic@ietf.org; Mon, 02 May 2022 13:29:28 -0700
Received: (qmail 25483 invoked from network); 2 May 2022 20:29:27 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.164]) (envelope-sender <huitema@huitema.net>) by xmail02.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 2 May 2022 20:29:27 -0000
Message-ID: <6830cf87-e1b6-14bb-7b10-9341fdb6d941@huitema.net>
Date: Mon, 02 May 2022 13:29:28 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1
Content-Language: en-US
To: IETF QUIC WG <quic@ietf.org>
From: Christian Huitema <huitema@huitema.net>
Subject: Blocking packets from suspicious ports
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 66.113.197.36
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCDtk k0b/poqLzbw49wn26eLmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7ImcaNOiP8tKCLoTs73rCt+paKRQ6V51u76v35b1wNe/MvdIASZp0 7mnQqdezZCtq+A712+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7hMIABpqqRGKyDs8xujM3cqKtEyjRS48tkuSWBkVvcslMwVh5dS4m9RpuKKUMLt7mBF KD/cFoFu+UlQVhEwAolXEnFzsC48bTEFY06/YbB87Ww8G0LoS8V3Mt1pta8qAcLtCB3G1CwpaI3Z 4ESkMWDVJEenxBoIht3V0nekAoxXAp1hvzF0oh62NIfr1igY9cSyuLfHqAnAj7rgKH7+eCmmXCAe Zgi0IcLwINaINEak/lShcA6Xvva2QAVEjpqzANap+28aWyCRVT7YkY7LckVcAgGgaHZINcgLZCXM OtAiHL13qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Uvg1BgKi9pvLjPDI0vMD_nZJlgU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 20:29:46 -0000

Services based on UDP have to be worried about two variants of DDOS 
attacks: being an unwitting amplifier of a DDOS attack, and being on the 
receiving end of a DDOS attack. The first concern is addressed in the 
spec, with amplification limits and the Retry packet. The second concern 
is often mitigated by silently discarding traffic from ports often used 
in amplification of UDP DDOS attacks, e.g., DNS, or NTP. After reviewing 
discussions like 
https://lists.w3.org/Archives/Public/ietf-http-wg/2021JulSep/0053.html I 
implemented this port blocking feature in Picoquic, but I have a couple 
of uneasy feelings when doing that.

The list of ports appear a tiny bit arbitrary. It mostly derives from 
reports on recent DDOS attacks, some of which are publicly available 
(e.g., https://blog.cloudflare.com/reflections-on-reflections/) while 
others appear to be propagated through private channels. The resulting 
lists may be a bit arbitrary. For example, some lists include port 11211 
(memcache daemon), but Cloudflare does not, maybe because we don't see 
much attacks on that port anymore. Many lists include blocking of port 
137 (NetBios name service), but only a few include port 138 (NetBios 
datagram service).

If I dig a little bit further, I think that differences in the blocked 
lists come from different priorities. We may want to protect QUIC 
servers from amplified UDP DDOS attacks, but we may also want to protect 
local services from Request Forgery Attacks. In the second case, the 
list of blocked ports gets bigger. But that too is arbitrary. For 
example, some lists include port 5353 (mDNS) and port 1900 (SSDP), but 
it seems that nobody bothers with port 5354 (LLMNR) or port 3702 
(WS-Discovery).

Then, there is the way in which blocking is applied. One could just do 
it for all incoming packets, silently dropping whatever comes from a 
blocked port. Clean, simple, but some per packet overhead. Is it enough 
to apply the checks when receiving Initial packets and deciding whether 
to create a connection or not? What about packets that would trigger a 
VN response, or a stateless retry? What about probes for new paths?

-- Christian Huitema

v2.23.0 | Report a Bug | By Email