Blocking packets from suspicious ports
Christian Huitema <huitema@huitema.net> Mon, 02 May 2022 20:29 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66E1EC14F738 for <quic@ietfa.amsl.com>; Mon, 2 May 2022 13:29:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.885
X-Spam-Level:
X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmvC0-tPi9OJ for <quic@ietfa.amsl.com>; Mon, 2 May 2022 13:29:42 -0700 (PDT)
Received: from mx36-out20.antispamcloud.com (mx36-out20.antispamcloud.com [209.126.121.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6F96C14F734 for <quic@ietf.org>; Mon, 2 May 2022 13:29:42 -0700 (PDT)
Received: from xse290.mail2web.com ([66.113.197.36] helo=xse.mail2web.com) by mx256.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nlcfm-0004ne-Ml for quic@ietf.org; Mon, 02 May 2022 22:29:37 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4KsZSm4QWCzB76 for <quic@ietf.org>; Mon, 2 May 2022 13:29:28 -0700 (PDT)
Received: from [10.5.2.12] (helo=xmail02.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nlcfg-0007Vw-Fm for quic@ietf.org; Mon, 02 May 2022 13:29:28 -0700
Received: (qmail 25483 invoked from network); 2 May 2022 20:29:27 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.164]) (envelope-sender <huitema@huitema.net>) by xmail02.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 2 May 2022 20:29:27 -0000
Message-ID: <6830cf87-e1b6-14bb-7b10-9341fdb6d941@huitema.net>
Date: Mon, 02 May 2022 13:29:28 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1
Content-Language: en-US
To: IETF QUIC WG <quic@ietf.org>
From: Christian Huitema <huitema@huitema.net>
Subject: Blocking packets from suspicious ports
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 66.113.197.36
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCDtk k0b/poqLzbw49wn26eLmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7ImcaNOiP8tKCLoTs73rCt+paKRQ6V51u76v35b1wNe/MvdIASZp0 7mnQqdezZCtq+A712+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7hMIABpqqRGKyDs8xujM3cqKtEyjRS48tkuSWBkVvcslMwVh5dS4m9RpuKKUMLt7mBF KD/cFoFu+UlQVhEwAolXEnFzsC48bTEFY06/YbB87Ww8G0LoS8V3Mt1pta8qAcLtCB3G1CwpaI3Z 4ESkMWDVJEenxBoIht3V0nekAoxXAp1hvzF0oh62NIfr1igY9cSyuLfHqAnAj7rgKH7+eCmmXCAe Zgi0IcLwINaINEak/lShcA6Xvva2QAVEjpqzANap+28aWyCRVT7YkY7LckVcAgGgaHZINcgLZCXM OtAiHL13qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Uvg1BgKi9pvLjPDI0vMD_nZJlgU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 20:29:46 -0000
Services based on UDP have to be worried about two variants of DDOS attacks: being an unwitting amplifier of a DDOS attack, and being on the receiving end of a DDOS attack. The first concern is addressed in the spec, with amplification limits and the Retry packet. The second concern is often mitigated by silently discarding traffic from ports often used in amplification of UDP DDOS attacks, e.g., DNS, or NTP. After reviewing discussions like https://lists.w3.org/Archives/Public/ietf-http-wg/2021JulSep/0053.html I implemented this port blocking feature in Picoquic, but I have a couple of uneasy feelings when doing that. The list of ports appear a tiny bit arbitrary. It mostly derives from reports on recent DDOS attacks, some of which are publicly available (e.g., https://blog.cloudflare.com/reflections-on-reflections/) while others appear to be propagated through private channels. The resulting lists may be a bit arbitrary. For example, some lists include port 11211 (memcache daemon), but Cloudflare does not, maybe because we don't see much attacks on that port anymore. Many lists include blocking of port 137 (NetBios name service), but only a few include port 138 (NetBios datagram service). If I dig a little bit further, I think that differences in the blocked lists come from different priorities. We may want to protect QUIC servers from amplified UDP DDOS attacks, but we may also want to protect local services from Request Forgery Attacks. In the second case, the list of blocked ports gets bigger. But that too is arbitrary. For example, some lists include port 5353 (mDNS) and port 1900 (SSDP), but it seems that nobody bothers with port 5354 (LLMNR) or port 3702 (WS-Discovery). Then, there is the way in which blocking is applied. One could just do it for all incoming packets, silently dropping whatever comes from a blocked port. Clean, simple, but some per packet overhead. Is it enough to apply the checks when receiving Initial packets and deciding whether to create a connection or not? What about packets that would trigger a VN response, or a stateless retry? What about probes for new paths? -- Christian Huitema
- Blocking packets from suspicious ports Christian Huitema
- Re: Blocking packets from suspicious ports Paul Vixie
- Re: Blocking packets from suspicious ports Willy Tarreau
- Re: Blocking packets from suspicious ports Christian Huitema
- Re: Blocking packets from suspicious ports Willy Tarreau
- Re: Blocking packets from suspicious ports Willy Tarreau
- Re: Blocking packets from suspicious ports Christian Huitema
- Re: Blocking packets from suspicious ports Carsten Bormann
- Re: Blocking packets from suspicious ports Willy Tarreau
- Re: Blocking packets from suspicious ports Carsten Bormann
- Re: Blocking packets from suspicious ports Willy Tarreau
- Re: Blocking packets from suspicious ports Carsten Bormann
- Re: Blocking packets from suspicious ports Willy Tarreau
- Re: Blocking packets from suspicious ports Christian Huitema
- Re: Blocking packets from suspicious ports Mirja Kuehlewind
- Re: Blocking packets from suspicious ports Christian Huitema