IETF Logo Mail Archive

Re: Blocking packets from suspicious ports

Christian Huitema <huitema@huitema.net> Wed, 04 May 2022 15:51 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F7CC157B32 for <quic@ietfa.amsl.com>; Wed, 4 May 2022 08:51:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.745
X-Spam-Level:
X-Spam-Status: No, score=-3.745 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.857, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 230v9yjjNCwT for <quic@ietfa.amsl.com>; Wed, 4 May 2022 08:50:58 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8C23C147921 for <quic@ietf.org>; Wed, 4 May 2022 08:50:57 -0700 (PDT)
Received: from xse339.mail2web.com ([66.113.197.85] helo=xse.mail2web.com) by mx257.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nmHH9-0001xn-2k for quic@ietf.org; Wed, 04 May 2022 17:50:54 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4KthB90Rl4zBJZ for <quic@ietf.org>; Wed, 4 May 2022 08:50:41 -0700 (PDT)
Received: from [10.5.2.12] (helo=xmail02.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nmHGy-00008D-TH for quic@ietf.org; Wed, 04 May 2022 08:50:40 -0700
Received: (qmail 7899 invoked from network); 4 May 2022 15:50:30 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.164]) (envelope-sender <huitema@huitema.net>) by xmail02.myhosting.com (qmail-ldap-1.03) with ESMTPA for <w@1wt.eu>; 4 May 2022 15:50:26 -0000
Message-ID: <f42eb3ea-9db4-e425-290b-f73731cea08f@huitema.net>
Date: Wed, 04 May 2022 08:50:18 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1
Content-Language: en-US
To: Willy Tarreau <w@1wt.eu>
Cc: IETF QUIC WG <quic@ietf.org>
References: <6830cf87-e1b6-14bb-7b10-9341fdb6d941@huitema.net> <1b686f1e-912d-5c02-cf5f-a8afbdd924bb@redbarn.org> <20220503032335.GB20878@1wt.eu> <e8c90e2b-e0f1-82ca-8243-2b41412de513@huitema.net> <20220504040937.GA25251@1wt.eu> <c29d88ab-20f2-45d3-6398-bbc5be8e7246@huitema.net> <20220504065344.GA26036@1wt.eu>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: Blocking packets from suspicious ports
In-Reply-To: <20220504065344.GA26036@1wt.eu>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 66.113.197.85
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.12)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT8RFtZ3MYl+P3uqlxLn28xQPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCAMj 5HSCBhzV25srGguf1gfmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7ImcaNOiP8tKCLoTs73rCt+paKRQ6V51u76v35b1wNe/MvdKgXtf/ I8Zg+7J5IC/SF7EL2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7hMIABpqqRGKyDs8xujM3cqz2icAXJ44pwgKRmsUjw7TLNrvlMheIEZUFAzXGuEIj2A eGaeLaMqyCzrPl65+dYpEnFzsC48bTEFY06/YbB87Ww8G0LoS8V3Mt1pta8qAcLtCB3G1CwpaI3Z 4ESkMWDVJEenxBoIht3V0nekAoxXAljn4irUr5oBnrKBj1Dx78qyuLfHqAnAj7rgKH7+eCmmrwmQ 0sfcJRujCb6JfrBvQ1ShcA6Xvva2QAVEjpqzANap+28aWyCRVT7YkY7LckVcrMvVtiKFU7+uiIYk NqlDvb13qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/cUjFAS73IQP6iQZIN3WsI7id_jY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 15:51:01 -0000

On 5/3/2022 11:53 PM, Willy Tarreau wrote:
> On Tue, May 03, 2022 at 11:00:11PM -0700, Christian Huitema wrote:
>> QUIC includes a feature to facilitate moving a connection from an anycast
>> address to a unicast address. The client finds the anycast address through
>> the DNS, contacts the server, learns a "preferred server address" during the
>> handshake, and tries validating that preferred address before using it for
>> the rest of the connection duration, without risk losing the connection to a
>> routing event that redirects anycast to a different server. Which is nice,
>> but of course a villainous server could feed a bogus preferred address.
>> That's the client bounce for you. All the server packets before the bounce
>> are sent with the expected 5 tuple. And of course the "preferred address" is
>> sent using encrypted packets.
> Ah, I wasn't aware, seen like this, that's fun. Well, I guess the client
> will try to connect to the new address with some info allowing to identify
> the origin server (e.g. SNI), thus allowing a QUIC decoder/server at that
> address to spot where the client found the address, no ?

Everything is encrypted, except for a few bytes in the packet header 
that carry a connection identifier, i.e., an octet string chosen by the 
server. The server provides the client with a list of those; if needed, 
that list is known by the load balancer at the server side, so the LB 
can forward the packet to the right server in the farm. The encryption 
key is specific to the connection, so only the right server can respond.

>>> There *will* inevitably be some problems at the beginning, but one good
>>> thing is that solutions are reasonably simple, can instantly be deployed
>>> in field using port filtering, and will quickly land in the code itself
>>> because the various stack authors have full control of their code.
>> Port filtering at the edge will not catch the "preferred address attack" in
>> which the server proposes a non-anycast address to the client, so I guess
>> QUIC stacks will have to protect that. As in, if a server says "please move
>> the connection to 10.0.0.1:53", the client should just decline and stick to
>> the anycast address. And yes, using a configurable list makes sense.
> Yes, that's a good point, I agree. I think quite a bit of the burden will
> be on the clients' shoulder. It reminds me the good joke we had in the 90s,
> creating a "warez.<domain>" DNS entry pointing to 127.0.0.1. I've personally
> seen someone trapped and saying "what, they stole'my data!" after ftping
> there :-)
>
>>>> Yes. Should that really be "per source port" or "per source IP + port"?
>>> Per port should be sufficient. There's no reason from the server side that
>>> multiple clients collectively decide to use the same source port to send
>>> legit traffic. And using the port alone will allow to quicky detect a new
>>> internet-wide attack coming from a randomly vulnerable service (IoT
>>> gateways, ToIP etc) regardless of their address. I don't know how this
>>> would be distributed, but I guess that if a source port is responsible
>>> for 100 times more traffic than all other one combined, it will usually
>>> be a good indicator that you don't want to deal with that traffic anymore.
>> I would expect quite a bit of legit server-to-server traffic on ports 443 or
>> 853,
> I think that's exactly the thing we must avoid. Encouraging (or even
> allowing) this is exactly what will make it impossible for infrastructure
> to defend itself against massive attacks. There's no value in using the
> same port on both sides. The savings of sockets and source ports are
> already enormous, going from N to 1 from TCP to QUIC, if an agent needs
> to make outgoing connections, it certainly can afford a second socket,
> which is nothing compared to the hundreds of thousands it would have used
> in TCP. Not being willing to do that is putting the internet at risk. For
> example among the protections you usually find at the edge is the blocking
> of a TCP SYN packet from a source port below 1024. A few services in the
> past (rlogin, rsh) used to bind to ports 512-1023 to "prove" that the
> user ID was authenticated by the local OS, but that's never seen over the
> net. One service has caused trouble to this, active FTP with source port
> 20, and rules which were a bit too lax used to allow it to connect to any
> service (e.g. SMTP) thereby allowing to use FTP servers to send spams by
> retrieving files that contained SMTP protocol contents. This has
> contributed to making active FTP unpopular, and nowadays it has become
> safe to block SYN from sources < 1024 at the edge. UDP doesn't have such
> a thing as a SYN flag and it's critical that traffic cannot be made
> symmetrical, or there's no more infrastructure filtering and only
> application level filtering.

Too bad that nobody discussed that during the review of 
https://datatracker.ietf.org/doc/draft-ietf-quic-manageability/, that 
could have been a nice place for such considerations.

It seems that we really need to write all these recommendations in a 
draft. Services that are peer-to-peer in nature would tend to use a 
single port.Same for QUIC stacks. It is a little bit easier to use a 
single socket than to force outgoing connections on a single socket. If 
we want them to use two separate ports, we have to explain convincingly.

On the other hand, I think we are past the "port below 1024" rules. For 
example, memcached is on port 11211, MDNS on port 5353, and there are 
many more like that.

>> but yes, keeping a dynamic list of most abused ports makes sense.
>> Although that's mostly an issue for volumetric attacks, and host based
>> defenses are not too efficient there, but still it feels better than just
>> receiving the attack and waiting until it stops.
> Definitely.
>
>>>>> I think we'll discover new fun things over time and will learn new
>>>>> attacks and workarounds as deployments grow.
>>>> I have not heard of actual attacks "in the wild", but who knows...
>>> It's too early, stacks are still evolving and the level of deployment
>>> is not high yet. That doesn't mean nobody is trying to elaborate new
>>> attacks. For example yesterday on my home servers which do not advertise
>>> QUIC I received one short packet from port 443 to port 443 from a host
>>> named "scanners.labs.something", and a 1238-byte one from a random port
>>> to 443 from a host named "scan-19a.somethingelse". Thus it shows that
>>> studies are already in progress. We just need to be patient :-)
>>
>> We probably will not have to wait too long...
> I hope so. It's important to get real-world feedback on protocols early
> enough to allow them to improve. It's especially important right now that
> any QUIC site can fall back to H1/H2 over TCP so it's easy to just block
> it in case of massive failure. If big problems are reported only 10 years
> after deployment it will be much harder to disable it in emergency.

Yes, but out of our control...

-- Christian Huitema

v2.23.0 | Report a Bug | By Email