IETF Logo Mail Archive

Re: Blocking packets from suspicious ports

Willy Tarreau <w@1wt.eu> Wed, 04 May 2022 09:41 UTC

Return-Path: <w@1wt.eu>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B2EAC157B4F for <quic@ietfa.amsl.com>; Wed, 4 May 2022 02:41:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hxVcTd5_fLmQ for <quic@ietfa.amsl.com>; Wed, 4 May 2022 02:41:48 -0700 (PDT)
Received: from 1wt.eu (wtarreau.pck.nerim.net [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id D8BB8C14792F for <quic@ietf.org>; Wed, 4 May 2022 02:41:45 -0700 (PDT)
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 2449fZG1026634; Wed, 4 May 2022 11:41:35 +0200
Date: Wed, 04 May 2022 11:41:35 +0200
From: Willy Tarreau <w@1wt.eu>
To: Carsten Bormann <cabo@tzi.org>
Cc: Christian Huitema <huitema@huitema.net>, Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>, IETF QUIC WG <quic@ietf.org>
Subject: Re: Blocking packets from suspicious ports
Message-ID: <20220504094135.GE26036@1wt.eu>
References: <6830cf87-e1b6-14bb-7b10-9341fdb6d941@huitema.net> <1b686f1e-912d-5c02-cf5f-a8afbdd924bb@redbarn.org> <20220503032335.GB20878@1wt.eu> <e8c90e2b-e0f1-82ca-8243-2b41412de513@huitema.net> <20220504040937.GA25251@1wt.eu> <c29d88ab-20f2-45d3-6398-bbc5be8e7246@huitema.net> <20220504065344.GA26036@1wt.eu> <098A8520-0935-4D13-875C-97EBB50CB347@tzi.org> <20220504082319.GD26036@1wt.eu> <862758CC-03FC-413C-B8E3-79F9F93EDB30@tzi.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="k1lZvvs/B4yU6o8G"
Content-Disposition: inline
In-Reply-To: <862758CC-03FC-413C-B8E3-79F9F93EDB30@tzi.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/csXPgYvR4S_SNDpY4MgycqZSqzM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 09:41:49 -0000

On Wed, May 04, 2022 at 10:28:04AM +0200, Carsten Bormann wrote:
> On 4. May 2022, at 10:23, Willy Tarreau <w@1wt.eu> wrote:
> > 
> >> Instead of collecting wafting lists of undesirable ports, would it make sense
> >> to more architecturally partition port numbers between those used by servers
> >> and those used by clients?
> > 
> > That's the point, and that has been done for more than 40 years now
> > by having unprivileged users only select ports >= 1024, resulting in
> > the range 1024:65535 being commonly used as the only valid source
> > range for incoming connections.
> 
> Sure.  But I wasn't talking about system ports (< 1024).
> Ephemeral ports (client ports) used to be 48*1024 up, and (user-level) servers were in 1*1024...48*1024.

It's always mostly been OS-dependent in fact. I remember being told
in the 90s that "clients use ports 1024-4999 since ports 5000 and above
are reserved" :-)

> This has weakened over time, but maybe it is useful enough to use it more again.

Beyond that 1024 frontier there's not much that can be said anymore as
various systems use different ranges *by default* and infrastructure
components that use lots of ports are quickly tuned to extend these
ranges as much as possible to reduce source port conflicts. Same for
highly loaded NAT gateways by the way.

For example I graphed what I'm seeing at home over a week (attached).
~30% of the incoming requests come from ports < 32768, and 65% from
32768..61000 (the default range on Linux). It's possible that sites
that are more centric to other OSes would see a different distribution.

Regards,
Willy

v2.23.0 | Report a Bug | By Email